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Abstract. 

This thesis is concerned with, the devekjpment of mathematical took for reasoning 
about computer programs. The approach is to design and mjfes^gapMhe properties of 
various dynamic logics with an emphasis on useful expressive power and adequate proof theory. 

First, rigorous definitions of the propositional and, first-order dynamic logics 
are given, with an emphasis, on the ftexibiHty pbtamed j||J|ju|isj; pupecif^ the class 
of programs which these logics can discuss. . A large port ton of the result* obtained to 
date in the investigation of dynamic logic is included and put in proper perspective 
Then, a proof theory is developed based upon the i f automatizing the first order 
dynamic logics relative to aWbneUeal ur Utck axtofm^ietioiu are supplied and 

proved arithmetically complete for the regular (flowcharts) and context-free (recursive 
programs) cases. The notions of diverging vnd fatting trt then introduced, with the aid 
of which the concept of the fofef fOT^ ■*** 

the concept of a weakest precondition clarified. A detailed investigation of the 
properties of diverging and. fatting is then earned out, mctudttuj the construction of 
arithmetically complete axtomatiiatioas of bq*^ regular arkl context-free toglcs 
obtained by supplying dynamic logic with the ability to discuss diverging directly. 

Throughout, the presentation streue* the need to be able to «/»*u interesting 
properties of programs arid to be able to /4ww them when mie. 
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O. Introduction. 

At one time or another, every programmer has come across the need to be able to 
state some property of his program or programs in an unambiguous way. Quite often this 
property is related in <some way to the <orr*cmtrs oTjheiMOgfam* *1fris program sorts 
its input in ascendiog order", "this program right-Justifies a paratraph of mput text" 
etc. Often it is an undesirable property that is of mMMitt ^ito program contains an 
infinite loop", "this PL /i ^amiat ton of mis Fortran pw i pi am does wot behave exactly 
as the original" etc Certainly these statements are not precise and cannot be taken as a 
basis for a serious discussion about the program m question. Moreover, the need might 
arise, whether initiated by the programmer himself or by ait mmMdet, to supply some kind 
of proof of the truth of such claims. 

In this thesis we take upon ourselves the development of mathematical tools for 
expressing interesting a*$erfcioji*.ahoMtipe*^^ which, In a 

well defined sense, arc true. These two concerns, ewpftieirtg ^nd proving, will served 
landmark* throughout the thesis. Vwrow formal tegie* tee d ef i n e d , the motivation for 
constructing *hem lying in the kinds of thmgs Me would like to be able to exprtss; then 
axiom systems arc. developed fier them, the motivation being rooted in the need to be - f ifcle 
to prove those things. This, then, explains our title. 

, We believe that the virtues of research in this area are mainly in providing a 
sound and rigorous foundational basis upon which reasoning about programs can be carried 
out. It is not essential, in our opinion, to carry out a proof of the correctness of 
every program orte writes, and certainly not a proof within some formal axiom system. 
However, it is important to possess the ability of doing so when required. In addition, 
work in logics of programs provides a theoretical basis for developing computer-aided 
tools for reasoning about programs, such as interactive verifiers or automatic 
proof -checkers. We are also of the opinion that, much as a mathematician, when proving a 
theorem in algebraic topology, benefits from his knowledge of, say, the basics of 
predicate calculus, an understanding of issues such as those discussed in this thesis 
results in a subconscious accumulation of important programming knowledge. This 
knowledge, attainable even at the level of an ordinary pr o gram m e r, includes understanding 
the inner workings of such basic programming concept* as sequencing, choice, iteration, 
recursion, infinite computations etc 



rfiimpmv 



The remainder of this introduction is devoted to a brief historical account of 
work which influenced the develo|OT>ent of the material presented (S^ion OJ), a 
Chapter-by-Chapter summary and description of what is to come (Section J) and a abort 
explanation of the policy adopted, by which some work other than the author's own is also 
included (Section 03). 



O.I History. 

Early work towards providing maihemaja^ 
back to Turing C6S3 and von Neumann £663. However, it to generally accepted that the 
first serious attempts solely devoted to that end are those of Floyd -tlTi and Naur 1463 on 
the invariant assertion method for proving the partial correct ne ss of programs, followed 
by the introduction, by. Hoare C273, of an axiom system incorporating that method. 

The work we present in this thesis i| to a great extent based on Pratt's CJ&21 
foundational study of the semantics of Ftoyd-Hoar* lagjc. (In fact, a preliminary version 
of CS23 in the form of class notes, was written bjf Piatt in April {974.) It is in CS23 
that the "modal logic of program*" (later termed dynamic logic, or PL, in C223) was 
suggested as a powerful tool, touching off work by, fiacher. and Ladner C163 on the 
propositional version, and further work by Harel, J*ey*r and Pratt [223, Harel and Pratt 
C2S3, Pratt CS33, Hard C2Q3, C213, Parikh tltt, C4& Barman and Peterson Ctf and more 

The idea of constructing first-order-ttke logics for reasoning about programs is 
not new. A logic quite similar jn conception to DL, fl/fW^A«ic /»|1<, hss been defined 
by Salwkki CS93 following work of Engeler C15J Nat unlike the situation with DL, 
Salwicki'a original paper stimulated researchers at the University of Warsaw and resulted 
in extensive study branching off in various direction {^me sample papers are Mirkowska 
C413, Kreczmar C333, Banachowski C63 and Ruiowa CSS1 A survey of their work can be 
found in C73. Interestingly, a definition of dynamic logic appears in an ippepdix of 
Schwarz C603 and is credited there to Reynolds. However, the Idea was not pursued any 
further there. Also, a very similar logic has been studied for quite a while by 
Constable, and reported on in till Some comments concerning the relationships holding 
between DL, algorithmic logic, and Constable's logic appear in C213. 

A large amount of related work* which havbeen of considerable help in developing 
the material presented, has been published over the years. Some notable examples are 
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Manna's work in C373 and £313, on the formalization of Floyd's method and related 
concepts, Cook's C123 relative c ompl et ene ss resuk for Hoare*s axiom system, the work of 
de Bakker et at E33, £43 and tS] and th« of Hitchcock and Park t26] on recursive programs, 
the completeness results of Harel, Pttuefi and Stavl tt33 and Corettck tl*3 for recursive 
programs, and Dijkstra's C133 togic of total correct ness . 



0.2 Synopsis. 

This thesis consists of seven chapters which ate organized into two parts. At the 
end of this section we shew some possible self -*ontaft^ subsets of it which can be read 
independently. 

Part I is concerned with logics which reason about programs based upon their 
input-output behavior. Here programs (nondeterministic ones in the general case) are 
viewed as btnaty rtl&Mns on teites, mrti^^/faM^ is related 

via a program a iff stattmg in the ftm, « can i e i 'l ^ 
notions relevant to this le^ 
final states a*cesiiWe^fr©m a^g^^ 

there exists such a final state in which P » J true. Tlw *l*a of *»wmic togte, due hi 
large to Pratt B21, H to augment m ^^^ m llSi^^0^mSh"m predicate cakvlus 
with primitives for expressing these notions, and to u^id^» borr o wed from Kripke's [343 
work on modal logic for defining the semantics of the resulting language. 

Chapter 1 provides a definition of PDL, the proposition*! version of dynamic 
logic , together with resents c onc e rni ng (a) the decidability of its vahdRy problem, 

(b) the power obtained by allowing propostttomil pr ogr ams to test their env ir on m ent, and 

(c) the problem of completely axtomatiting it 

In Chapter 2, the first order version of dynamic logic over regular (flowchart) 
programs, DL, is rigorously defined usmg the rjottohs of state, universe, and 
uninterpreted symbols. It is shown that many interesting and well known properties of 
programs, such as partial correctness and e^ttfvil6#^iea1*l* e|u#e succihedy expressed 
as formulae of DL. Section 13 is aimed at shewing that the class of programs allowed in 
DL is in fact a parameter, and that different classes of programs give rise to different 
variants of DL. Some open problems conc er ning the comparative expressive power of these 






variations are stated. Section 2A contains results which show that validity for DL and 
some simple sublanguages is extremely hard to decide. 

In Chapter 3 we show how an intuitive way in which assertions about programs can 
be proved is captured formally by allowing the reasoning to be carried out in a 
first -order language in which, besides any other domam of discpurse, the natural numbers 
and operations on them have their standard interpretations. This is done by introducing 
the notion of an arithmetical unimrst, and then showing that it is powibfc to give a 
concise ax localization of DL which is complete relative to »ny such universe. We do not 
require programs to be written over these universes, but tioce any universe can be 
ex tended to an arithmetical one, this kind of reasoning can always, in principle, lie 
carried out. We show, in Section 3.4, that arUk^tkal wtnpttUnysb ttmg\y je\*tri 
to Cook's £123 notion of relative completeness, and also discuss the approach of supplying 
DL with an infinitary, but absolutely complete, axtomatiiation. 

In Chapter i we extend the definitions and results of Chapter 3 to the case in 
which the programs are altowed to be r*curirt#. Tr« r««r*ive program construct 
introduced is simple enough so that a ckar analogy between reasoning about iteration and 
recursion emerges. In particular, the axtomatUaUno, in Section U, of.;tbe resulting 
logic CFDL is far more natural and concise than would have been expected from studying the 
relevant literature. 

Part II is concerned with the two operational notions of divtrging *nd failing 
(i.e. entering an "infinite toop" and aborting due to the failing of a test) which are 
captured naturally by (amputation trm. These tines carry in their braves the 
information present in the binary relations of Part I, but ago contain information 
regarding e.g. the presence of divergences and failures. In Chapter S we define these new 
concepts and immediately apply them to the problem of defining a plausible notion of the 
total correctness of a general nondeterrainUtk program. As it turns out, executing a 
program cor respond* to traversing lu corncniUti» t^ 

natural methods, dual to one another. We show that each of these methods gives rise to a 
different notion of total correctness, and hence to a different notion of the weakest 
precondition which, if true before execution, guarantees total correctness. A detailed 
analysis is carried out in Sections S.4 and S£ aimed at showing which (if any) of our 
four notions is the one described informatty by DtJMtta C133 and which has been widely 
adopted for somewhat mysterious reasons. 
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Chapter 6 is devoted to investigating the mathematical properties of diverging and 
failing. In particular, it is shown in Section 6,1 that«oth these notions are 
expressible 

in DL, albeit by complicated formulae which have some whdeMrahie properties, in Section 
6.2 we augment 01 to DL* by |KOvl*r^ it with the po*er to express diverging directly , and 
show that this augmentation gives H«ete a surprUingry elegant and natural 
arithmetically complete axtamatixatian of the notion of diverging, to be contrasted with 
the axiomattxaaon obtained by trarolatmg this notion WW Its DL eouivalent and then 
relying on the axiomatizatton of DL In Section %M we 0m that ; there tea pretty 
pattern of dualities associated with the con struction of arithmetical axiom systems for DL 
and DL + . rh Section 6,4 we use the observations inspired by this pattern to obtain a 
straightforward ax tomattzation of a related logic, AOL 

Chapter 7 is concerned with supplying results analogous to those of Chapter 6 for 
the case of recursive programs. Here special methods have to be developed in order to be 
able to completely axtomatiie CFDfc*, U. CF0L augmen t ed with diverging, and in addition 
we can only get halfway through showing that CfBl is powerful enough to express diverging. 
Consequently, a question which arises is that of whether the retufts in these sections 
indicate the exfatwce of scww mterem cHfftrolty to ism : 

We cannrt suppiy rrwre than i«uitton towajds ■ 

definition of plausible notions of diverging and failing which do not depend on 
computation trees and which generalize to other classes of programs too. 

As far as reading the thesis is con c er n e d , afterteiidiiig Chapter* t and 2 (which 
are a prerequisite for any other chapter) the reader witt have « good understanding of the 
basics of dynamic logic. He can then read Chapter f thus cem p jeting a reading aimed at - 
grasping the main definitions for the regular case. Sequences 1,2,3 or 1,2,3,4 confine the 
reader to dynamk togk ( rro extensioiis) but, to addftion, provide a t^ 
arithmetical completeness for the regular and co n text^i oe Cjaset respectively. One might 
also read 1,2;3;$,6 thus skipping anything to do wttb r e cur si ve programs. 



0.3 Credits. 

The occasion of writing this thesis hat pro v i ded a good opportunity (and excuse) 
for preparing a coherent and comprehensive descriptsen'oftte work done recently (mostly 
by members of the Theory of Computation Croup of the Laboratory of Computer Science at 



'.»-- >>Sfc'? l, *$***!r 
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MIT) concerning a new approach towards reasoning about programs, to which the general term 

dynamic logic has been attached. This opportunity has been take© advantage of, and 

consequently some of the material in the thesis is not due to the author. Any result 

which is not original with the author is stated with a reference to its originator. Also, 

we do not supply proofs of results which are not oi» Own, but fifh^ oj^fsioiially comment 

briefly as to the method involved. A consequence is the fact thai many results are stated 

here for the first time and, as of now, no adequate documentation of their proofs is 

available. We feel, however, that these technicalities are Irrelevant when balanced 

against the virtues of the kind of presentation we have chosen. Following is a quick 

reference to the notable parts of the thesis which are not original with the author, most 

of which are included in Chapters 1 and 2. 

The ideas upon which the definition of PDL ,1* based are due to V\R. Pratt, and 
were published, in somewhat different form, in C521 The definition of PDL in Chapter 1 
is due to MJ. Fischer and R.E. Ladner and was published in C161 The author's own 
contributions in that chapter are confined to the Introduction of EPDL in Section LLl 
and its investigation in Appendix A. The material in Chapter 2, also stemming from the 
ideas of Pratt CS2J, was developed over a tong period Jointly kf AJl, fkyer, V.R. Pratt 
and the author (with the exception of Section JU which th« author had HttJe to do). 
A preliminary version of the rigorous definition of DL presented here was published in 
C221 

Some of the ideas present in the definition of the computation trees in Section 
5.2, in particular the concept of failing, were wo^stt)«|it by the author jpintly wKh V,R. 
Pratt, and appeared in preliminary form in C2S1 The motivation for developing the 
material in that section was influenced in large by discussions with N. Dershowiu. As 
noted in the text, the central theorem in Section 6X1 is based on a rewk of Winklrnann 
C711 Section 7.4 is based upon an idea of A.R, Meyer. 

I would like to take this opportunity to express my gratitude to the 
aforementioned individuals for allowing me to include their own work in this thesis. 
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PART I: Binary-Relation Based Logips. 



1. Regular Proposltional Dynamic Lagie (PDL). 

PDL is the propositional version of dyjtsmic 1a«ic, and was defined by MJ. Fischer 
and R.E. Ladner in C16U Ttolplay -a rote 'in the fc^ oT e i gggwe anm^oos to the role 
the prepositional calculus plays in the classical ftm-erAerioftc." They comment, "We 
have attempted to abstract from [work on logics of p r of r affl tl the *pure* logical structure 
underlying these formal systems. We feel a thorough lindentanding itf ^l^^stitictowe Is a, 
prerequisite to obtaining .a good .grasp on theniofe ga mpttcated , albeit more applicable, 
systems, Just as classtetfl prupotitloiul logic is fundamental to t he ewdc rs t andmg of 
fi rst -order predicate cakulus." 

We first define an elementary version of PPt fl ONE.) aimed at capturing the 
structure of the InterlacebefciweRjp^^ 

programs involved. We then define VtfL essentflflly as m t£0, and state some results 
concerning TDL and a set of variations PDLj tor 180. 



1.1 Definitions. 

1.1.1 Elementary PDL (BPDL). 

ITPDL is basically a modal tejgte with poitttbty mewe^^i one modality. 
Consequently, the smtttnferwiifflftn^ modal logic 

extended to allow many modalities. 

Syntax: 

We have two sets of symbols, AF and AP, standing for atomic formulae and atomic 
programs. We use p, q ^- and a, b,- respectively to denote elem e n ts of these two sets 

The set of luell-formtd formula* of EPDL (EPDL-wffs) is defined inductively as 
follows: 

(1) All elements of AF are EPDL-wffs, 
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(2) For every a in AP and EPDL-wffs P and Q, 
(PvQ),--P and <a>P are EPDL-wffs. 

We abbreviate -(^Pv-Q) to PaQ, ->PvQ to ' paQ*, (P=»0)a(Q3P) lo P*Q, 
and -<a>-.P to ta3P. We will often omit parentheses, using doubts spacing when appropriate 
to prevent ambiguities. The construct <a>P is read "diamond -a P", and Ca3P *4ox-a P*. 

Semantics: 

The central notion in the semantics of EPDL Is that of a unions* W, which is a 
nonempty set, each element of which can be thought of as a jtat%pf world in which certain 
facts are true and others are not We use *,*,-. to denote states. Thus our semantics 
will have to specify for each EPDL-wff P and stake j*W, whether P ts true in s (s 
satisfies P) or not. Hence It is plausible to define the meaning i a formula as the 

subset of W consisting precisely of those states which satisfy it Furthermore, when 
viewing programs as objects which can "change the state of the world", it is plausible to 
define the meaning of a program as a binary relation on states, t the pair (s,r) 

in that relation iff the program in question started i terminate in 

stater. Thus our programs are nondet*rnini$tk\ there can, for a given J, be more than 
one r such that (j,0 is in that relation. 

A structure S, then, is defined ax a triple (W,ir,m), where 
W is a nonempty set, 
*: AF -» 2 W , and 
m: AP ■*$**■*. 

Thus, *r and m provide the meanings for the bask formulae and programs (U. AF and AP). 

r is extended inductively to the set of EPDL-wffs as follows: 

ir(PvQ) = ir(P) u **(Q) * (4 rfir(P) or rfir(0)}, 

*(-P) = W-ir(P) *{'!*»( P)}, 

*«a>P) = 01 (3r)((j,0«m(a) and **{?))}, 

Denoting jfw( P) by st? and (y)<m( a) by jaf and adopting free usage of 
conventional logical symbols in our discussions, we may write for ' ftyccd $« 
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jh<a>P iff 3K*W A fH») 

reading: "diamond-a P a try* in state * iff there exists estate reachji^ from fVi* *i 
whkh jattsfies P". One m»y Uwt ver^ t»Mtf for CalP (deflwd w •« J*br«vl«tK>n to 
-cfa^J we i»v« ' " ~ 

iKaJP iff Vr(x«3*P) 

reading: "box -a P is true in state s iff every state readable from * via a satisfies P". 

Crven a structure S*(#,ir,m) we say that an E is S-vtUid (and write 

► s P) if for every *W we have #P. We say P ts swjfd (and,**,** W>) if tt is S -valid 
for every structure S. P ts said to be %-*tiitfi«kU tf to aamc **W we have JMP, and . 
satufiable if it is S-wtflsf table for some S. The Wm mptes of valid P?DL-wff*: 

([a3p A <a>rnw) ^ <a>p, whem mt# abbreviate qv~«q, . .... 

<a>(pAq) => «t>pA <*>q), ; 

<a>(pvq) ■ {<a>p V <a»«}. 

The first example states essentially that if wherever you fo p holds and If f ur thermo re 
you can go somewhere, then youcan-gosoieeivbere wJieni^ 

At this point we refer the reader to Appendix A where we define an interesting 
rttaticnat ctjthm which employs onty two operations on tehe**** the conventional 
composition operator » and the new unary operator eKNtsti f **| dMMtea as 

-e*ff^i)fTrf<i,tf*eri 

We show there how to embed EPDL m thtt algebra, thus capturing EPDL in a pure relational 
format, and point to some questions which seem to justify fw the i inves tigation of this direction. 



1.1.2 PDL. 

In rhe propostttohaf dynamic logic we now deso^, the set of programs is taken 
to be the set of ngttter exfrfisstms ever' ft. Tine flc^iawe ieseonlrit about' 
"structured" programs bunt up from atomic, imlntarpro te d , pro g ram tetters. 
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Syntax: 

Here too we have the two sets of symbols AF and AP, and in addition we require 
that AP contain one special element, denoted by #, which corresponds to the empty program. 

The set R of regular program is defined inductively as foHowss 

(1) All elements of AP are in /?, 

(2) For all a and in R, (a;0), (au0) and a* a/e in R. 

The set of well-formed formulae of POL (PBL^wffs) is defined inductively similarly 
to EPDL: 

(1) All elements of AF are PDL-wffs, 

(2) For every o in R and PDL-wffs P and Q, . 

(PvQ), ^P and <«>P are PDL-wffs. 

We abbreviate as in Section LLl. 

Semantics: 

Here too we have the notion of a structure S = ( W,ir,ml. However, we are now 
obliged to extend m to the class of programs R. This is done as follows 

m(«;0) = m(a) • m(p") = [{s,t)\ (3u)((i,u)tm(««) and (u,f)€m(0))} 
m(au0) = m(a) u m(0) = {(s,t)\ (j,f)«m(«) or (s,r)«m(0)} 
m(«*) = (m(«))* = {<V)l (aiaOM^^j) 

( Sq-s and jff and ( Vi> £0) ( ( s^s^ j «m( a) ) ) } 

Here the double usages of U and * on both sides of the equation represent operations in the 
formal language we are defining and operations on binary relations respectively; in trie 
latter u is union and * is reflexive and tramitlve closure. Thus, our programs are 
literally the regular expressions over the alphabet AP, with #,«;£, «U/J, and ** meaning 
respectively "the empty program", "do a followed by 0", "do either a or the choice being 
nondeterministic", and "do a any (nonnegative) number of time*. the choice being 
nondeterministic". Here "doing «0 times" is like "doing nothing", w is extended 
inductively to the set of PDL-wffs as, in EPDL, and the definitions of validity and 
satisfiability are the same too. The following are examples of valid PDL-wffs« 



<■?%*:. ■ '■ ';-.«i*f*^**;: 



16 

<»Ub>(pAq) ^ ((<»>p a <a»C|) V «b>p A <b>q)), 

(C(»;a)*3p a [»;(*;») *>tj) « (p a Ca*H#t3ta*!p A (ip)=>Ca3p)). 

The last of these (due to AJt Weytr) a«erto the e qu i val en c e of two ways of staling that 
p and **p bold ateinat tvety attwf ar b itra r y a patfti. 



Taking /*&# to abbreviate da-?, the f oll owing art o xaroptes of S-vaMd formulae 
wlirif tlii" il mi l ii if IS ii d#Mi4hwl kv tht hK mikMim.iikBiaii 




* • 



<aub>Ca*3<*;lauc)>(<b>*ru# a {a^Wst), 
<aub>Ca*3<a ;( aucfr&bfUsr A <aXn*#). 



l.B Result** 

Fir** we state some straigh t fo rw a rd coniequenm 'id onr definitions and provide 
proofs of some. representative i 



LefWM /./.For every WJL-wff F and «,0*/?, the to H u w tng are fa«d$ 
(a) C«;ff3P» ClflB^r 

fbi ti»iHi> * (t*ir a oisrr. 

Fr«jf. We prove (a), tfrntflf iff ¥*<**# Wrf^ iff ¥ffj«(j«* a 

u&t) 3#p) iff vi^mmi a u*) a #ft iff W^jfe*^*!!* »iW) »ff 

Vt*Oom :* Vf(u« a fW>>? m Yuismu *ulWf *»* ^iN^^it* • 



I 
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Lemma 1.2: For every PDL-wff P and a*R, sKa*JP iff for every niO we have 
jK« n 3P, where «° is truel and « n+1 is « ;« n . 

Proof- sKa*1? iff Vr(j«*r =>>P) iff VrtOra^^Hja^ a ~A 
s n _ t as n a s*t) =» *P) iff YnVfti« n / => *P) tft for every niO, jKa n 3P. 

Lemma 13: For every a«/2 and PDL-wffs P and Q the following are valid: 

(a) C«3{PaQ) *(£«3Pa£*3Q), 

(b) CoKPaQ) a (Ca3P a C«3Q), 
(c)<«XPvQ) * ««>P V <«>Q), 
(d) <«>(PaQ) 3««H» a<«>Q). 

Proof: We prove (a). jK«](PaQ) iff Vtimt .=> *(PaQ) ) iff VtU*t . => (fKP A 
r»«Q)) iff (V*(««f p *P) a Wt(sat =» *Q)) iff *HCalP a C«3Q). I 

Note that a trivial counter-example to the other direction of both (b) and (d) is the 
structure with two state* j and t in which P is true only in * *M Q «ftfy ■« *» » nd ln 
which we have both sm and sat. 

Theorem I A (Fischer and Ladner C163): The validity problem for PDL is decidable. 

This result is obtained by establishing a "finite model theorem" for PDL, stating that a 
PDL-wff is satisfiable iff it is S -satisfiable for some structure S in which the universe 
W is finite and in fact bounded by an exponential in the site of the wff. The following 
theorem essentially establishes an upper bound oq ttitt decision method; 

Theorem 15 (Fischer and Ladner C163): Satisfiability m PDL can be decided in 
nondeterministic time c n for some constant c, where n is the length of the formula tested. 

Pratt CS3D has recently developed a decision procedure for PDL, based on the tableau 
method, which, in many naturally arising cases, is more efficient than the one implicit 
in the proof of Theorem ,.JL$ in U^L 

Theorem 1.6 (Fischer and Ladner CJ63): There is a constant ol such that satisfiability in 
PDL cannot be decided in deterministic time 
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This tower bound is proved by showing how to simulate the computation of an alternating 
Turing machine wtth a PDL-wff. 

The following resuto are c o nc er ned with a vat tattoo of PUi in which programs are 
allowed to r<rjf the troth of iwtaiii tomtiae, loavletoreOatoJioataiB If the test avodoces - . 
a positive answer and abortion # net 



For the purpose of the rest of tins section we 1st PHlg stand for POL. Now, for 
any 1*1 define PDL, inductively as an etttentoon Of PBtfr by iiiiig to the definitton of 
the set of programs M the dense 

(3) For any PW, Hl -wff T, P* to to 1ft, 

and to the definition of the exteitsion of m tn£/the cImk '^ 

m(PT)xf( M )|^r(P)y. 

Thus, for eKtonpte E«rC»ltblp^b>pT <jtlf ' Is a PDLj-wff. Define ftH^e *^ lfc FIM^ 

Lemma 1.7: For every FOt^-wlfs PwidQ, tPTIJ ■ faQ to a vsM POL^-wff. 

Proof: Straightforward from the definitions. I 

r*«orem I* TINscW *mdt£n^J»3N Xmir**** &****,„ **#*&* in 
mMidetern^ristic time c n for some osnstantc 



The f otto wing are some weti known progr anenhig wn st rtay end their franahjtipn tato PPl 
with tests: ~" .,' 

t/P§*e*fi«tepV (PT^ti (-£?$!, 

w/w#Prfo« (P?$«J* ; -jjpt; 

IF P-* 1Q-* Tl Cf?}«l ti^lBL 

dop««$q«#od cms* vfqffinWPiWA-^ 

Mote that then*' to an interesting logic *1taffway* bttweei P^|» namely that 

in which clause (3) above to taken to be 
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(3) For any p in AF, p? is in R. 

Thus, we allow only testing of prepositional letters from AF. Denote this variant of PDL 
by PDL ^. 

Theorem 1.9 (Berman and Paterson €93)s There exist PQLQ^-wff P, such that there is 
no PDL Q -wff Q such that HP«Q) (where P*Q ii to be viewed as a PDL^-wff). 

Theorem 1.10 (Berman C83): For any iiO, there exists a PDL |+ j-wff P, such that there is 
no PDL r wff Q such that KP«Q) (where P«Q U to be viewed as a PfJL 1+1 -wff). 

Informally, these results mean that each "level of testing" supplies increasingly more 
expressive power, or in other words, 

PDLqXPDLqj, and 

(ViiOMPDL^PDL^), 

the second, say, reading "for every i, PDL |+ | is strictly more expressive thvn PDLf. 

Theorem 1.9 (and similarly liO) is proved by a subtle argument involving the construction 
of two families of structures S* and SJ for every jfcO, and the exhibition of a 
PDL^-wff P which can "distinguish" between S. and Sj for tifcjfe One can then show 
that corresponding to any PDLQ-wff Q there exists an integer J(Q)>0 such that Q cannot 
distinguish between Sx/q\ and Sj/Q%. 

Berman [83 has also shown that PDLq^ < PDLj. 

1.3 Axiomatization of PDL. 

A problem left open 1n 1163 was that of flna^ system lor 

PDL. Consider the following axiom system X: 

Axioms'' '■ 

(1) All tautologies of propojtttonalcakakis, 
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(2) C«3(P=>Q) 3 (EaiP 3 E^Q), 

(3) C#3P, 

Ut t«SfH > e CndCWP, 

(5) Eaa#3P * (&3PAEJRP), 

(6) e**3P « if A&mag>fr), 

(t) t«*itp*«jp) 




Jnftrenct fttdw: 

P , P=>Q 



Q 



(9) p 



E«JP 



If PDL^ 



and caMrtncjWia^iiiwntil^YSteai ' JCi 



f-~ti"-t}' 



:,f« . 



Provability in X or X' is defined tn the ttandacd way; P ******* (wriftcn tv P) if 
there exists* fi n ite se q ue nc e of PDL-wffc sodi that each is an instance of one of th€ 
axioms or is obtained from prevfcwa farmul a r oy^W Ot »ia^ h w t af>*0»WfK«. A**er*Joii, 
of this system had tan con jKtored by us for onto a «Mte to be complete, bat final 
confirmation of this fact came recently, fcideponooRtty, in ParifchCttJ, Pratt C$33, 
Segerberf E6I3 and Gabbay EH3. .'**■•.- , 

r^^ /J/ (PatU^ Pmt^ Sagesb^ 

As an example of » proof tn X', serving in sddJoen to familiarize the reader with 
the notions of PBL, mt atectch the pi^af^ *a*dt»nf *W m frwlni PPl^wfft 



tm&zi&r* 
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C«a>trw?;»)*]p o Ci*]p. 

Abbreviating (<a>fru«?;a) to and C0*3p to Q, we state the main points in the proof 
omitting reference to (1) and (8). The reader it urged to convince himself that each step 
can be rigorously Justified in W. 



1. 


Q =» (Q V foist), 






2. 


CaDQaCaKQv/s/w), 


Hn»l» ('>*.{?>■ 


3. 


Jamais* => Ca3(Q * 


f jWw).».- 


wme u line 2, 


4. 


(lal/fl/M v CaOQ) 


PCal^wvQ) 


Hnes 2,3, 


5. 


«a>m« p CaDQ) ^ [a3Q, 




6. 


[<a>rrue?Xi3Q a 


Ca3Q, 


lir* S, (10), 


7. 


C01Q 3 Ca3Q, 




(4^ IMi«J5» 


8. 


Q => CWQ, 




(6), 


9. 


Q aCsJQ, 




lines 7,8, 


10. 


Ca*3(Q3Ca3Q), 




|91» line 9, 


11. 


Q ^ Ca*3Q, 




(7),J*ne;o» 


12. 


Q 3 P, 




■■(«)♦" 


13. 


Ca*3Q a Ca*3p, 




line J^ (9) t (2), 


14. 


Q 3 Ca*Dp. 




lines 11,13. 
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2. Regular First-order Dynamic Logic 

In this chapter we define a first order lege bated upon ideas ftcen fVatt t$21 
further developed In C22J. The togte, first order rfywwefc lajfe, or DL for short, Is 
designed to reason about "real" regular programs; is. the equivalent of nondetermtnistic 
flowcharts or recursion -free loop programs; The sernw to wblcit the programs are real is 
in that they employ the conventional notions of changing ^fi^-ofHf«I^WUht by 
assigning to them and r<jr<»f the vatee of expressions. Pto gt an^ in PC are no longer 
combinations of atomic program syimlNi, and program--free formulae are>#9 longer 
proposition al. 

After defining DL we elaborate on the kinds of facts expressible in it. Section 
2 3 contains some extensions of and res»**ibfii upon the class of programs allowed in DL, 
viewing aH the resulting logics as variations of DL. Section IA contains results 
concerning the question of hew hard it is td decide the validity of certain kinds of 
formulae of DL. 



2.1 Definitions. 

Syntax: 

We are given a set of function symbols and a set of predUatt symbols, each symbol 
with a fixed nonnegative arity. We assume the inclusion of the special binary predicate 
symbol M = M (equality) in the latter set We denote predicate symbols by p, q,~ and 
k-ary function symbols for k>0 by f, g,- Zeroary function symbolt are denoted by 
z,x ,y ,«. and are catted variabks. A term is some k>a#y ; function symbol followed by a 
k -tuple of terms, where we restrict ourselves to terms resulting from applying this 
formation rule finitely many times wily. For a vartabfe x we abbrev iate x( ) to x, thus 
f(g( x) ,y) is a term provided f and g are binary and unary respectively. An atomic formula 
Is a k-ary predicate symbol followed by a k -tuple of terms. 
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We define by simukaneou* induction the set RC of first "©rder regular programs and 
the set of DL-wffs: 

(1) For any variable x and term e, x*-e is in RC, 

(2) For any program -free {see below) Qk-pf, P, P? is in RC, 

(3) For any a and in RC, 4) and «* are in RC, 

(4) Any atomic formula is a DL-wfJC, 

(5) For any DL-wffsP and Q, « in RC and variable x, 

-P, (PvQ), 3xP and <a>f are Di-wffsl 

A DL-wff y»bjch contains no occurrence of a program of RC is called program free or simply 
* first order formula. Programs of the form indiea. in U) and (2) are called 
respectively (simple) assignments and ( simple} ttsts. We use A, =>, B and ted for 
abbreviations as in the previous chapter, and in addition abbreviate ->3x-<P to VxP. 

( Remark: As will be seen injection 23, the particular class of programs allowed in 
DL-wffs can be viewed as being a parameter. Different classes give rise to different 
variations. Even within the particular class of regular program! the set of tests can be 
allowed to vary ; it can be the set of quantifier-free tests or, inductively, the set of 
question -marked DL-wffs. Various kind* of alignments are abo possible. We stress these 
facts here, even before completing the definition of tit, so' thai the reader does not 
associate any particular class of programs with the generic term dynamic logic) 

Semantics'' 

The semantics of DL is based cm the concept of a state. The difference however, 
is that we are now concerned wjth specific atomic programs and specific atomic formulae. 

A state 3 consists of a non empty domain D and a mapping from the sets of function 
and predicate symbols to the sets of functions and predicates over D, such that to a k-ary 
function symbol f ( resp. predicate symbol p) there cori^sjwhda a total k-ary function 
(resp. predicate) over D denoted by f j (resp. pj) r Jfl, particular, to a variable there 
corresponds an element of the dwnainand^ a |(ja^ 

letter) a truth value (true or joist). The sundard equality predicate over D is that 
corresponding to the equality symbol (=). We wiH -sometimes refer to the domain of J a* Dj. 
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Observe that the way states are defined no distinction is made between what are 
normally called variables and constants. These, however, wiff be defined betow for simple 
universes. 

We denote by T the collection of all possible states and call It the grand 
universe. Our semantics wiff assign to a program « a binary i elati o n m( a) over F, and 
to a formula P a subset of F consisting of those States wham Mtfi/? P. In the sequel 
however, we wiH be interested in special subsets <Sf f namtty universes: 

A pseudo-universe U is a set of states all of which have a common domain D. A 
function symbol f (resp. predicate symbol p) 1% c**k& uninterpreted M U ft for every 
state J«U and for every function F (resp. predicate P) over D there exists |<U such that S 
and $ differ at most to the value of f (resp pKw^i^ W | ii ff resp. P>. 

Notation: For any function C: A -* B, arbitrary element e, and a€A, we define Ce/aJG to 
be the function with domain A and range Bufi} giving^ same Values at points in A~{a} as 
C, and such that G( a>*e. Thua, the situation deacrtbed above tar uninterpreted f is 
simply $<¥/ fJJ. 

A symbol is called fixed in If if its Vafcie is the same m aH states of 0. Thus, 
"=" is fixed in any universe. A universe is a pseudo-universe m which every predicate 
symbol is fixed and in which every function tymb^T is either ffaed or onirtte r p itted. A 
universe is called simple if the only uninterpreted symbols in it art a designated set of 
variables; In a simple universe the fixed variables weft som e tim e s be called constants 
following ordinary usage. 

The value of a term e - f(el,„,ek) in a state J is defined inductively following 
Tarski C643, by 

ej = f*(ei*,».,ekj). 

We now define by simultaneous induction the binary relation over F corresponding to a 
program « of RG, and those states J to <F which satisfy *H*~## P. The relation w« be 
denoted by m(«> and for the tetttfwe'WrtteJW* ( J,|) being an element of m(«) can be 
thought of » representtog fhe fact r^ of 

a starting in state 1 and terminating in $. Thus, JK«3P will be seen to be making an 
assertion about all terminating computations of « starting to state 1; namely the 
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assertion that the final state* of these computattjons satisfy P. Similarly, JKa>P 
asserts the exist enct of a terminating computation of « starting in state J and ending In 
a state satisfying P. 

(D For any variable x and term e, 

(2') for any program-free Dl-wffP, 
m(P7)MU,J)|JNP}, 

(3') For any a and in RC, 
m(a;0) = m(«) • m(/5), 
m(au(8) = m(«) um(0), 
m(«*) * (m(«))*, 

(see Section 1.1 for further specification) 

( 4' ) For an atomic formula p( el f -,ek) , 

^p(el,-,ek) whenever pj<dj,.-^j) U true, 

(S') For any DL^wffs P and Q, a in RC and variable x, 

3*->? iff it is not the case that JM\ 

JKPvQ) iff either JM> or X}, 

JMxP iff there exists an dement d In Dj such that Cd/x3J ► P, 

JK«>P' iff thereexis^astate|iuchtliat(JJ)*m(«) and f&. 

Note that the only kinds of formulae whose truth in state J depends possibly upon states 
other than J are those containing subformulae of the form 3xP and <«>P« 

In most of this thesis we will primarily be interested in investigating the truth 

of DL-wffs in a given simple universe U. However, one can see tliat for some J«U and some 
assignment x*-e the unique state $ such that (J,|^m(x«-e), fce. the statelej/xlj, 
might not be in U at all. We outlaw this phenomenon by adopting, from now on, the 
convention that in the context of a given universe the only programs we consider are 
those in which the variables assigned to (eg. x in X**) and the quantified variables 
(e.g. x in 3xP) are uninterpreted. Thus, for J*U and for any OL-wff ? the train of J 
in P can be seen to depend only on states in U. 
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We use abbreviations a* in Chapter 1, and thus w«l write $*$ for ( J,#Hm(«) , and 
for Eal, which stands for "<*>", we have again 

JW«3P iff V$Um$*p¥). 

Given a universe U we say that a Dt-wff P i* Uti»#a (l*ij P) if for every J«U 
we have JNP. We say P is »e&{ (fcP) if it U U-*aW f<* every universe U in which, in 
line with the above convention, the assigned and quantified variables of P are uninterpreted. 

The following are examples of valid DL-wffs: 

C(x*i a y*u)?;(x*-f(x) u y«-f(y))Kxsr v y*u), 

x:y3t(x^f<x)))*K(y^y))Vy, 

x=y o C(x**f(x))*Kp(x) =» U*y v <y*f(|fJ;(y«Hf(y)!)*>p(y))). 

The first asserts that at most one of the components of U is executed- The second states 
that the process of repeatedly applying a fuiwtioa co mpo s ed with M is a special case 
of that of repeatedly applying it The third asserts essentially that the process of achieving a 
property of x by repeatedly applying f can be simulated Jn y. 

Denote by N the simple universe of pur* aritkmHic; L*. the domain D is the set 
of natural numbers and +, ' and are fixed with their sjafidard interpretations. We 
freely use staaiatfl arithmetical abbreviations such as *, gcd etc (Whenever, in the 
context of ttte natural numbers, we use the symbol -, it 4s to be understood to stand for 
the so called "monus" operation, U. x-y is the 0f*B$am $spw»«» ;.* and y if xiy, and 
otherwise. Also, we abbreviate x»x to fry* and ^ tofifls*).1i 
The following are W-valid Dl-wffsJ 

<(x«-x-l)*>x*0, 

y>Ov<ysO?>lrw 

C<x=x' a ysy* a x'y>f))TK{x*y1i 

(x>y?;x<-x-y u x<y?;y^^)*^«yl>xsfcrf<x , > y*). 

The last example asserts that the program inside the diamond, under the assumption that 
its two inputs are positive integers, terminates and computes Hie gcd of these inputs. 
This program can be written in more popular terms as: 
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while x^y do 

ifx>y then x*-x-y 
else y*-y-x 
. end. 

We adopt the standard definition of nfrte occurrence a a variable X in a first 
order formula Q to be an occurrence of x whkb Is not nvairy it f the form 3xf . 

Any other occurrence is called fomtf. Also, we 3an^]j^Wv%r»^ Vand term e to 
be the formula which is obtained from Q by uniformly renaming alt bound variables of Q 
which appear in e and replacing all free occurrences of x by e 

Lemma 2.h For every assignment x*-e, and first-order formula Q, 

wehav«KCx^3Q"Q'). 



2.2 Descriptive Power. 

One of the virtues of logics such as DL is the Met. that they provide a general 
framework in which it is possible to express a wide variety of concepts and notions, for 
each of which one would otherwise have to invent a spedal notation. The advantages of 
this uniformity are by no means only notattonal; el e m e nta ry results awl anafrftes are -mti|l| : , 
more obscure and harder to come by when these concepts an developed under separate cover. 
This argument is imptkit in Secttooi 33 and 63 as well a» tn I2U 

The examples in Section 2i illustrate some of the facts expressible in DL, the 
first set of valid ones being true for "unintei for reasons 

stemming from properties of the specific universe tnvorved, |i^ cast that of 
arithmetic Indeed /when people reason informally about ro programs, they iWv 

have in mind a particular interpretation for the symbols ap pe aring in the program. 
Consequently, we will be roore interested in ||j»w^d^ •deju^to^ for 

"domain dependent" reasoning; eg. for profisBjf'jAni iSf^dldtfW'^J^B^w^Mf- • ome 
universe U. 

A lthough we wish to stress the fact that one can write complex DL-wff s ( e*. 
alternations of boxes and diamonds of arbitrary length ase certainly permitted) , we point 
to some particular elementary properties of programs and show hew to express them, with 
relatively simple formulae, in DL given a universe U. 
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- Partial correctness of o wrt P and Q ( Hoane'* C273 P{*}Q): , J>^lPaGejJQ j , 

- Existence of a Q-toRunagffg /tattft of «: hiXnXJ, 

- Existence of a Q -terminating path of « under the assumption P: l»y(P3<*>Q) , 

(This turns out to bt. the total cmeetaess «f « whon » U 
det er w ri n fa tte^ and baa I denote* by a variety of notations, see C211 
Also see Section 1& 

For any a*RC, define var{m) as a finite vector consisting, in some fixed standard 
order, of all variables appealing to the left of the assignm ent symbol *- in tt. 

- Equivalence of a and 0* by ,'VIff <*?l*T ■ <fi>Z*T), where 

Z=«*r(*)-iw(0) , and Z' is a vector of the same length as Z whose components are 
distinct variables not in »tr(«). 

- Determinacy of a ( alt terminating paths have | common ftuat state) : 

' ¥ u *£(<«&& ?tiR&n, wi#^anklT ? a|"-«1bofe. ' 

2'i3 Varlniloiis. 

Regular programs of the kind we have employed are by no means mandatory. On the 
contrary, the reader and any potential user of PL is encouraged to use the basic concepts 
( as portrayed' say in Elfl with hit kvorite progr a| i »wni ''wmgtiage. We ourselves 

prefer to work with regular f and later with cc«bwt-Tn») exjpntcsfons over assignments and 
first -order tests. In this section however, we provide a number ot^possfble variations of 
this set of programs. . J 

We are about to introduce various logics and give fhem names, and we would like to be 
able to compare, their expressive power. If ft 1* the case then, that for two such logics 
A and B, the wffs of A are a subset of those of B, we wnl denote by A < B the assertion 
that there exists a B-wff P such that for no A-wff Q "Is : it ;lhe case that f*Q is a vaNd B-wff. 
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2.3.1 Array Assignment. 

An array -assignment is a basic program which can change the value of a function 
symbol at a specific point. This is done by writing ft i) «-e where f, z and e are 
respectfvely, a k-ary function symbol, a k-tuple of variables, and a term. We restrict 
ourselves for simplicity to the case where k=l. 

To obtain this new language, which we call array-DL, the following 
clauses are added to the definitions of the syntax and semantics of DL respectively. 

( la) For any unary function symbol f» variable x and term e, 
f(x)«-etsin RG, 

(la') For any unary function symbol f, variable x and. term e, 
m(ffo)*e) ={(J^F/fW)lF<ej/x^fj}. 

Note that although a program with array assignments can change the value of f at 
unboundedly many points fog. as might be the case with the program (x«-g(x) ;f(x)«-y)* ), 
it cannot in general change the "entire" value of f as in a second order assignment of the 
form f«-g, which, although constituting another plausible variation, is not allowed here 
We extend our convention of Section 2.1 to require that in the context of a given universe 
U we allow array assignments of the form f(x)«-e only if f is uninterpreted in U. 

Open Problem: Is DL < array-DL? 

Answering this question in the affirmative would involve exhibiting an 
array-DL-wff P, and showing that for no DL-wff Q do we have HP*Q). Certainly, the 
obvious fact that certain programs can be written easily and succinctly using Wf* 
assignments will not be affected by an answer to this question ; it i J strictly a question 
about the power of expression of a formal logic for reasoning about these programs. 



2.3.2 Random Assignment. 

A random -assignment is a basic program which in a state J can change the value of 
a variable x nondeterministically to any element of the domain Pj. Strictly speaking 
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however, this type of assignment is appropriate (and of tm$ ©nly^fweh x is 
uninterpreted, in which case every element of Dj is indeed a possibl e vahie of x. 

The following clauses are then added to the appropriate places m the definition 
of DL to obtain random-Dt- h 

(lb) For any variable x, x«-?isinRG, 

(lb*) For any variable x, mCx+tt • ffJJIt |*tX|/xM>. 

Thus, x«-? when started in J, can terminal in any state m which Ortty the value of x has 
been changed. 

Lemma 2.2: For any universe U, uninterpreted variable x and DL-wff P, we have 
K3*P * <x*^f f and WHP H**fJP*. 

Thjs obvious fact, which on theoht:hifid : peraditf raiidom-DL 

completely, does not on the other hand hnpry Airftff]p10Mhjt^J*. tthders flmdwtr 
assignments redundant ; x*4 can certahny appear, s*y,'t«#ie ^^l^dpefValn*' W w* 
illustrate after the theorem bHbw/' tn f»3, here Itoo #ed» net lttnj* whether or hot any 

expl^ssiv<'pdwe*%;glh»ed. : " , ' 

O^ii Problem: Is BL < random-DL ? 

We do have the following result, which refers to DL wilh both array end 
random assignments. ' lfV ' 

Theorem 2J (Meyer t44#: 

' T0 raikkOT-Dl < rar*rtem-array-DU 

This result is proved by shewing that mere is no formula m DL with array -assignment or 
random -assignment (bat not both) which is eeuivahp* I* t»* feflmmi W''*M&f<&tr%*^ 
where we define 

** x*r;{u^?jffx)*ii;**ffx)J* ; and' : ' ; 

0: x*-z;(x«-f(x»*;(x*y)?;(x*f(x)**;(xs*}? 
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P is a formula of this doubly augmented DL, which is true in a state J iff the domain of 3 
is finite, a makes possible assigning f(i), f(f(z)) etc to soiw random elepentt of the 
domain, and fi makes sure that y is on the "f-cycle" starting from z. Finiteness, then, 
is definable in DL with both array- ai^ random-assignment. It can be shown however, and 
this is the content of the remainder of the proof of Theorem 2J, that finiteness is not 
definable in either array-DL or in random-PL. 



2.3.3 Rich Test. 

Rich-test-DL is the first -order version of PDL^ defined in Section 1.2. It 
allows tests in programs to involve other programs (which themselves might involve such 
tests etc). Thus a program a might pause, asking something like "can program fi halt 
on input x if started right now?", and continue without side effects iff the answer was 
"yes". 

The definition of rich-test-DL is Identical to that of DL except that clause (2) 
in that definition is changed to read: 



(2) For any rich-test-DL-wff P, P? is in RC. 



So that, for example, a desired effect could be guaranteed "in advance" as in the program 
a: ( (C|8]P)?;^)*, for which P^«r3P is valid. Here fi if not executed unless P is 
guaranteed to hold upon completion. 

Open Problem: Is DL < rich-test-DL? 



2.3.4 Deterministic Dynamic Logic (DDL). 

DDL is the deterministic version of DL; U. the onty |»rQgrams allowed inside 
boxes and diamonds are deterministic ones, We do this by defining the set of DDL-wffs to 
be simply the set of PL-wffs in which u and * appear only in constructs of the form 
(P?;a u (^P)?;0) and ((P?;«)*;(-P)?), and we abbreviate these to (*/P then a 
else 0) and {while ? do a) respectively. We call this restricted class of programs 
DRG, and clearly they correspond to the well known wM< programs. The semantics of DDL 
is the same as that of DL. 
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Lemma 2.4: For amy universe II, state j*U and program o^DiTO, there Is at most one state 
|<U such that Jetf. M 

Corollary 2.5: The following are valid for every e*DI£ and DL-wffs r*, and Q: 

(a) <»>P ■ (t«3P a <«>frB*), ''";" 

(b) <o>(PaQ) « (<«>P a <e^Q). 

Prod/ We prove (a). JK«>P iff 3j( J*J A $*?) iff (by the. lemma) 3iUfltf A 
yf{3mf =» $W) iff 3#< J*J a JNnu* a ¥?(**# 3 |W») ifT JH<«>frw a 
CerfP). I 

Here the question of whether i w iu^inUi ism suppl i es mortr expressive power is most 
interesting, and ateo u i um w i i tU n of now, to etartBeattOVr iould hopeftrtiy supply 
insight info the proposal Pinpln^ ^ ' 

Open Problem: h DDL < DL ? 

One can also define DPDL as PDL with similar rtstrtcttom open the class of It Of regular 
expressions over AP. There too we have: 

O^rn Problem; Is DPDL < PDL ? 

Note though, that the programs in DPDL tan be nomlem niinUlk by virtue of the 
interpretation assigning a non-ftmcttooat relation to an at*»ic pt>egram However, we can 
restrict the structures and ask the same i 



A binary- relation r is said to befimtttoml if for every c avare h> at most one * such 
that («,ft)«r. 

Open Problem: h it the case that for every PDL-wff P there exhtt a DPDL-wff Q such that 
MP*Q) for every structure S=(W r #,ro) in which m (restricted to Mf) tt funcaonal 



We now define the notion of total correctness. w|i|$ 
program will terminate satisfying the conditions*: 



•■I-V..Y, 

mtutttvety states that "th* 



Definition: A program a m DRC is totally correct with respect to a universe U and 
DDL-wffs P and Q, if ►y (P=K«>Q). 
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Note that Corollary 2.5(a) substantiates the widely used fact that for deterministic 
programs, proving partial correctness and termination is the same as proving total 
correctness (see for example Manna C39D). 

Thus, DL is a tool powerful enough to express the concept of total correctness for 
deterministic programs. ^However, in Chapter 5 we win see that this notion is much more 
subtle when nondeterministic programs are allowed. 

Another interesting restriction on the programs in DL is the guarded commands 
language of Dijkstra [13! We define this language in Section S.S. 



2.3.5 R.e. Dynamic Logio. 

As it turns out (see for example Section JU), many interesting properties of 
dynamic logic are invariant under drastic changes to the complexity of the programs 
involved. To provide a definite class whichcan be_ thought of as j| plausible "upper bound" 
on this complexity, we introduce r-e. programs. 

A regular program of RG can be thought of as a regular set of strings over the 
basic alphabet of assignments and tests, ft is easy to see that taking the meaning of 
these programs to be the union (over this set) of the binary relations obtained by 
composing the relations corresponding to the compo ne nts of each' string iri order, is 
consistent with our definition of the meaning of tl*e wgoiar expressions over this 
alphabet. R.e.-DL is obtained in a simitar way by adopting as programs r.e. sets of . 
strings over the above alphabet and def inmgthetemeanmg-siflrtiarty. One particular way 
in which to represent these programs is to supply a desertion of the Turing machine 
which recognizes this \x. set, along with the (fmKe) sets c* assignments and tests 
involved. The semantics of rje.-<DL-wffli is then obtained analogously to that of DL 

Thus, these programs are so complex, that merely deciding at each point in 
the execution "what to do next" might take the full power of Turing machines. 
Nevertheless, it turns out that this complexity does not affect most of the results about 
the validity problem in DL. 
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2.4 The Validity Problem for DL, 

In this section we state some results concerning the question of how hard it is to 
decide whether a given Dt?wff i* valid. Since a vattd DL-wff is one which is true in 
every state of every universe, this i» not, so to apeak, a ^domain d epe nden t'' question 
but rather a question involving the behavior of c om pl e tely unln mr preted f programs. 
Throughout this section, we «tt use the notation of fagers fStt for indicating degrees of 
undecidabihty. 

The first fact about DL is the well-known recursive - enum e rab ilrty of the set of vaMd 
first-order formulae: 

Lemma 2.6: The vawd program-free DL-wff* form a ^- c om pl ete set, 

Proof.- These are precisdy the vtW fM«-«rder wff* of ccdinai^ logic 1 

Lemma 2.7 ( Pratt CS21). The valid DL-wff s with no appearance of the * operator, form a 
JTf -complete set. 

Proof: Trivial, using l emmas U and U for getting rid of these loop-free programs. I 

Theorem 2J$ (Meyer and Pratt E22Di The vand Dt-wta of the Jarw ^E where P is 
f irst -order and e* r&an^ rApcogram^^N^aJTi-eanipJneiaeti 



In other words attaebmg om eUemceat (even wufc the rwa« soanplkjAed program in 
it) to a fh u a ^oi dei formula, doet net make the » au di ty p i ahl ea i ■ wy more eUCficuh. In - 
particular, owe can e*te»d this rcso* to fataaalae of th e J e em P=Ke^ fee pe ogra m -f r ee W 
and Q, shewmg that d «r*fi l ng vaatdttyof na a l i wioUn eai aau a Uno i for detaiinmfcMI c 
uninterpreted programs is an rje. problem. 

Theorem 2.9 ( Meyer and Pratt U23k The valid DkTwf&e* the form CelP, where P Is 
program free and .the sol ef p*ograms is taken to bea* terge as the *K of tm. program* . 
or as smaH as the singleton ( x«-y j(x«-ftx»* % form a H| comp t ate s o t 

Thus, attaching one box to a first-order formula gives rise to a very hard validity 
problem ( as hard, in fact, as the totality problem for Turing machines). (Similarly, one 
can extend this to the class of vend partial c orr e ctness asse r tions. ) However, if the 
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formula P to which Lai is attached (the output specification of the partial correctness 
assertion) is free of existenstiat quantifiers, ix. is a universal formula, the problem 
is easier: 

Theorem 2.10 (Meyer and Pratt [22]): The valid DL.-wf£s of the form CfldP, where a is 
as in Theorem 2.9 and P is a universal first-order formula, form a II j -complete set 

The hopes of keeping the validity problem for *^whp>of OL down to some place 
in the arithmetic hierarchy are shattered by the following theorem: 

Theorem 2.11 (Meyer, [22] and 1443): The valid Dl-wff? pteach of the following forms, 
form a II j -complete set, wkere the set of programs involved can, in each ease* be 
taken to be as large as the set of ne. programs or a* small as the singleton 

{ x«-y;(x«-f(x))* }: 

(a) 3xE*3P P aWwt^rder formula, 

(b) 3x3*[03P P a o^WB^^ier-freeiTteit-order formula, 
(c} <py,0 2 >£«3P P*ojtwtttfteiHtofitft-^erfor^^ 
(d) P PaDL-w#. 

Thus, the validity problem for Dk ^s extremely hard, ill fact as hard as deciding 
the validity of genera* universal sec^ VrP, where P is 

a first-order formula of ar«ttne««ii It ge#t*»it ^a^fcewev^fw q»ite Simple formutoe 
with only one "alternation" of programs (here we like to view 3x as <x«-?>). The upper 
bound of IlJ can be shown to hold for all the variatiomT we h^e considered, in 
particular, the set of valid formulae of rich-test-random-array-DL also form a 
Ilf -complete set 

These results then, eliminate any possibility of obtaining (absolutely) complete 
axiomatizations of any interesting portions of Eft. In the next chapter we will see 
however, that the situation is not so grim. 

We remark here that Meyer [443 has also been able to show that the set of valid 
formulae of Salwicki's [S93 algorithmic logic is also I plete. This is contrary 

. to erroneous results in Kreczmar [323 and [333, 
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3* AritHmeticst! AxftonutttKatioB. 

In this chapter we introduce the approach. of supplying a syntactic characteritation 
of trnrlJMa*a IJ^wfiMor spe&fruhtfeM^ Universe 

of arithmetic, This characterhtaihm wl*8*i« the ttn#W«4eawa a*^^ Bti 

which makes explicit me of variablts that range over the natural mimtoen. For any such 
"arithTnetttaT untvmr A we>t»*raif *^*hd first milu (WiiisdiW m a*rtomsy and show* ~ 
that then P-1I. A cuwph t e, i^ tlh»ypwarfc»f^ ulij >i iwHud e *sl l ' f ^airy A^uhd 
DL-wff. This property-i 



A* will bw^mte-ewWemi in the seftrf^ the natural numbers are wed in first order 
formulae to "coent^ the mm*er of eten»* u executed in «*. Wtfdtt a* use the extra 
. power itr which wy indu i gyi to-ordertuhnroduee "«rimmeacal' a)atfc lii tui i n " into the 
programs, i*. awignments to variabhtt which fs^^ done 

eg. by Owicki C47] for r^aioning about oanrfW Droerams, In fact, one 1 ! programs might 
not in vofre integer* at ati and st W j, ri i » i »ihe ^ 

can be extended^ arearettaeie^ without 

modifletihm|,6aa^t^,<a«iiadiiBtt^ i pjlsin nil h a» P. . 



Anticipating our need to provlqg ariOim^^ 
and 7, we state and prove a rati «m to? ? which is « 

generalization of the induction step which we mud' for o«r cornpswen wi theorem in Section 
12. this step is common to the^ 

this thesis,, and in ^awemviUonitKt^k^t^of^rrm^^oftheprooft of . 
similar completeness results in the future Section definition of 

an arithmetical universe, mxing that aa e x t ended to an arithmetical one. 



It is then proved that for any arithmetical universe there exists, for every Dl-wff, a 
first order formula equivalent |o it over that universe. Sec iltu our axiom 

system P for DL and proofs of its artthmeHtaJ s oundn ess etenesj. Section 33 

contains the restrict!©* ^td^P^fatetf^^ 3.4 

we remark on the relationships holding ti e tw ee w w a ^Oec^ 
completeness, and Wlrkowska's C4U infmitary exfcenatizatiora. 



, |.,5..:?i ,»«. t$, ' t "*«*fs^%Mki8a*Jv; 1 
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3.1 The Theorem of Completeness and Arithmetical Universes. 

In this section we prove a general theorem which will be applied five times in the 
thesis for obtaining completeness results for arithmetical axiomattzations of various 
logics of programs. It writ allow us to deduce, for example, 

completeness of an axiom system for DL given that that svstem U complete for proving 
basic formulae involving at most one program. The theorem, however , wiH be stated in 
very general terms. 

Denote the set of first -order formulae by L Assume we are given a universe U, a 
set K, and a functional 

M: Kx2 U -?2 U . 

The M-extension of L, L( M) , is defined to be the following language which is L 
augmented with one formation -rule: 

(1) Any atomic formula is in L(M), 

(2) For any k«K, variable x and MM) -wffs P ,and Q, 

. -.'p, (PvQ), 3xP and (M k )P are L< M) -wffs. 

The semantics of L( M) are defined sach that < JHfi^>P Mdi whenever 
J*M(k,{#| |>P}) ; all the other clauses receive their standard meanings. 

Some intuition might be gained at this point by noticing that if K is taken to be 
the class of program* RC and it* a }?H mterpfefed **<«>?* theft MM) is in fact 
regular first order dynamic logic, he. DL. 

We now define some important concepts to be used in the sequels 

We say that L is U -expressive for MM) if for every L(M)-wff P there exists an t-wff Q 
such that Ny PsQ. 

An axiom system P(M) for MM) is any set of axioms (or axiom schemas) and inference rule* 
over MM). Prwafc/ttyof an MM) -wff P in P(MjU defined in the standard way and is 
denoted by ^piffi) P- P(M) is «dd to be U-sound if aH the axioms are U- valid and alt 
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the rules of inference preserve t) -validity. Note then, that if P(.H) to U -sound, then 
whenever ^p^anR holds, ►^do» too. 

P(M) is said to bt propasltUmally amjtlett if j^ in jtances of tautologies of proposttional 
calculus are theorems of P( II) and wyfm | w «f i y ,te .these es.^ It is , 

said to be U-canpUti if for every L(Rf)-wff I, if 1^ A. hoWs jj^Rii w* have *>(*) *♦ 



Tktortm f.t (Theorem of ComfMeteness): For any tmivene U and M-extenston L(li) of L, a 
U -sound axiom system P( W) for M M> is U c otnoh te whenever 

Ci> PC Rf ) is proposittonatty complex, 

(2) L is U -expressive for L( M), 

(3) For any fc€lC and URft-wffs R and Q> 

(4) For any k*K and L-wffj R and Q, 

if ►yR then >|*|a#K, 

if ► u CR:H* t >Q> then >p|'|^CMM|IQK and 

if ►yCi=KRyQ) <*m * m ^*»m$Qh 

Proof. We have to prove that tf P tj an L(M)-wff sod* that KyP, then r-p^ M ^ P. 
By the- propoHtionarf aowp to wncu of p{ II) we can aw e onr t aat P * given w con jwcttve 
normal form* and we pioE«d-by brfv<sUon o» the iu« of ( w e niimU l of a p pewan ces of M and 
the number of quantifiers in P. Assume the theorem hofcb for any for^n«ta with n-1 or less 
appearances of Rt and quantifier*, tf P is of the form P1aP2 then we have r*y PI and 
hy P2, both of which* have to be proved in P^JaU^ so tl^ we «a» restrict QMrattentson to 
a single disjunction. Without foes of generality we can, therefore, assume that P is of 
one of the format -.. :.,-,?->, '; 

Piv(RyP2, PlvMM k )P2, Plv3xP2 or Piv^*xP2, 

where k«K and Pi and P2 each have n-1 or less lepeai anal) of »r and quantifiers. Let «• 
use p to denote ( M^ -K%>, 3a or -Oa aooeedinc to which to die case. 



"**»*$> - •■"■ ~ ■rs^pt***-***?;' 
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L is expressive for L(M), and k> for any L(M)-wffQ tb«re is tome L-wffQ L 
which is equivalent to Q, We have then frffrtl^ai&^sM^w&m tttMmpttan ( ♦) 
(since Pl^ and P2i are L-wffs) we also have 

Now surely, by the definition of Pl^ and P2 L , we have ►y <-»Pl => -•Pli - ) tnd 
►y (P2^ a P2>v iofl» these last formulae have lets than ^■«'aw#lHitt»^'0^"'« n < ! 
quantifiers, and hence by the inductive hypothesis 

(++) |1 Pll«) ( ■ ,rt ' i * ,P1 l , **'''' 

By assumption (3) or the first clause in (4) (depending on whether P Is an appearance 
of M or a quantifier) together with the proposititonal com pleten e ss , we obtain from the tatter 

From (*), (♦*) and (***) weget, using proposktona! reasoning, r-pj M )(-*Pl3pP2), 
orr-p <M j(PlvpP2). I 

Ou.r goaf in the next section is to apply this theorem to DL Viewed as an 
M -extension of i as indicated above. In order to <fe thi* we now, define a set of universes, 
the arithmetical universes, each of which satisfies' retirement {$) of tne 5 Theorem. This 
fact is proved below in Theorem 3.2, 

An arithmetical universe A Is a universe in which the domain Includes the set of natural 
numbers, the binary function symbols ♦ and t. are fixed and ftvtm their standard me ani n gs 
(addition and multiptfeation respectively} whim appned^ to the natural numbers m the 
domain, and Q and 1 ate «xed reroary -order Cannon aembob iniefpr eted at the natural v.; 
numbers "zero" and "one" respectively. Furtheimoi* Ihftwisfc^^^ 
symbol not with the interpretation. "n«f j(d) is true iff d is a natural number", that is, 
for every state J {d*D«| natAd)} is the set of natural numbers. Thus, we are able to 
distinguish the natural numbers in the domain from the other elements and we do not care, 
say, what the value of x+y is in state 3 when it is not die case that natjixj) holds. 
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An aaa mortal property *» tcqiiMc or in amiuneacai mwfewe ■ eue* wHiKy ■ 10 encooe 
finite mouenots of thwn eii m tmo owe etonmt Tfcefgwwrf *»fti rf Buit »f this ^rapwty is 
as follows: 

There exists a total predicate R(x,i,y) over the domain of A, 
such that for any natural number n *%*the cam-mat we have 
(Vx 1 ^ n )(3y)<¥sVl)<<m^diMmt| t »(ilM,yMimt | i). 



The intuition 4s«hot R( x f i,y) holds tff "x is the iU component of y", so that any feme 
sequence Xj_x n can be encoded as such ay. 

Note that one particular arithmetical universe is the universe M of "pure 
arithmetic" ; that is, the universe in which the domain Is pre c is ely the set of natural 
numbers, and *, T., 0, * and mtf (which in thai case is- wen t icsu y true), are the only 
function and predicate symbols. Codef s $ -function fsWc^ $eeVson 64 m ShoenfleM 
C621J serves as the finite seouewe encoom* fraction. 

It is important to note that any universe U can be ex tend e d to an arithmetical 
universe Ay by au gm enti ng it t if necessary, with the.iUCural numbers and additional 
apparatus for encoding finite sequences. Thus, reamumg afwajro*? kind of program, 

WflW W I MM* mnv ifaw rih- nm *m ■mmJmmhuA m Kf rttl Mi l 1MS T WSttl ■ mOlibh II M l m WIIr ■! 

•*""*■ ."* ™*- Of ™" ^^"^rl **^r^ mnsr*igiB^mmwmmrejB»yimi«* : mBa*wma^Bf«fnBBnr ^eemajsr {m%^emjsmummp^n» ™o »■»•■*« ■'» en* »» 

universe. 

Take A to be any arittra?et^al universe and JC to be the set ^ 
over assignment* «r»d tests. Take 1 to be ) f . ojseretcf, or rnore precisely define 

M(«J|| JH»}) ^ yj iKJatf a>1»)}, so that i tfl£$ '« Certainly then, 

L(M) Is simply DL. ,, 

^ We remark here that in fact we will be using, Theorem 3JL in the s«que) only -with . 

#unTw**j*">*^emueu.eo> -owe B>ejnnjv*u epm ^"m*"# eone mrtujgn>V •^mcC enfUF aasMB^M*Jgeajgg#>.^gff^ ^7 yy y^^m \ •jm^m* %0 npgoB m*oa*^» 

satisfying F. Gon ioa uen tty, wecoM hl h o pw defined p* JEaU -» a'V and th a n Hf| rn^M* *ff 
3#f^* a Ht hjfo i m w « » ^ , wy haw statsd and puised Miirtho^aevmelsii general harm to 



facilitate posan^iueme' amjrticafeloniof it 
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Theorem 3.2: L is A -expressive for DL 

Proof; We have to show that for every DL-wff P there exists an L-wff P^ such that 
»« A (P2P L ). We proceed by induction on P. TM.cases where P.JsJm atomic formula, or of 

one of the forms -*Q, QvR or 3x® a^js^a^f^wia* i4&fflm$ +***$* form 
<«>Q for o*RC and assume Q L is the L-wff which it A -equivalent to Q. Denote iwr(a) by Z, 
and by 7' denote a vector of the same length as Z whose components are distinct variables 
not in varia). By convention we Can denote by x' the element of Z' corresponding to an 
element x of Z. We show, by induction on the structure of «, that there exists an L-wff 
FAZ,7.') such that for any DL-wff Q we have 

(*) ^a (<< * >( 5 s 3Z ' ( *a A S9iM ] b 

where (Qi )f ) is the obvious generalization of (Q L ) * to vectors of variables. 

Thus in a setjsf #> . we find a formuja F^ which, U #%**$ ^9^^ M^^^^^ J^f 

value of Z to that pf Z'. 



For an assignment take F x ^ to be x'?e. .Surely <^«rc>Q. i> A -equivalent to 
<x«-e>Q L which is A -equivalent to (Ql)£ or in fact to Sx'Cx'se A (Ql> x )• 

For the case where a is of the form 0U0\ take ^fjyp) 10 be ifjjjpV fjj»). 

Similarly, when *is0;0\ fty$>) ** taken -IP- N 3Z"((F^)J" A|F^.j| ,^ 

Here Z" i* a "fresjr vector like Z'- U is quite straightforward to yerifythat,!*) holds 

for both these cases. ^ * t 

Assume a to be of th« form 4* By standard techniques, usjffg the encoding of 
finite sequences into single elemenu of the domain, we can construct an "iteration" 
formula ITR^ with a free variable, such thatwe have ITR^(0) *4Z*£') » where Z=Z' 
abbreviates the conjunction*^ 
ITR^jC 1)3 F^, and for any natural number *>1 we ha?e ( ihghtly abuiinft *tf |ct notation) J 

lTR^n) = (3Zl)..-(3Zn-l)((F^ A Mffife A Hf fi \ff£ A - UF^" 1 ). 

It is then easy to see that for any n, <a n >Q is A -equivalent to 1 3Z'( ITR^f. n) A iQtfz,))* 
and hence that F«* can be taken to be (3n)(na*(n) A FTR^n)), and that 
then (*) will hold. I 
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Thus by inspecting the assumptions of Theorem 31 in this context W* arrive at the 
conclusion that if we can f hid an A -sound axiom system P for DL, such that 

(*) P b pfoportttonaay compfctt , ''■ : ' ir v :- 

(b) P tmtode* ett A^aM fttsfro n iat wfrV >» aftttbwy 
(c> p mghnwa the inftiii n W i ul* 



1*Q 



C«>R 3 <«>Q, 



and (d.) we can prove comptetenew of P for fofnwhrt^ the simple forms R=><o>Q 

and RaU^wMt fM«l order ft ami' %_ '_._ 

then indeed by theorem &1 we have an A -sound am»4 tWJip fete a*K>m syjtern for DL Art 
axiom system which, for every arithmetical mivem A when jnifJiiuiUJU wtth at A -Valid : * 
t-wff* as axioms is A wand and A cumphtt, is taWwt ort/lwwiinilf j> cempt«4. \n the next - 
section we set wmetve» out t» ftrnf iuchWii1m*ir«ro% laps^'a^m Sy^erTfor PL. 



3.2 Axionsn4&xsktio». pf $>&.- ... !i:i - s ; -., 

In this secth** w* provide ■■pjr a i Km i atkilty iWtp*» aAib i U system p for DL 
In the seduef A stand* fcr*anf arWhrndJcat urn WW, end L |€Tvh* set <tf first-order 
formulae. When talking about arithmetical universes we wJK often want at tw a^ m^4o stand 
for variables ranging only ever the natural n o m b ers. W§ do tltia by a dopt ing the 
fowowm% ow > nt*u»n ^l~wmwm#w#m**kh% 1m t l utpWwty wu n anmd , say, 
the variable n : *&*'tm varteWe, * »Jbnw»tf»Pbyp^PMrd^y *>»ir<iw) a*l lYjfcWfJbr . 
example; 3*W*>^ Stands ** »fwo*r*JM*til»»qt»¥ i gam [Wig. 'that *r auite J, 
(Flro> *>d$ ts'sre* rf w^ tannnaw c»be » rtwisrai aaeubec. > 'a»Jm ii wi i J f by. io n vgwUo ii , • • 
VtlPfrtJ stands for Vr4i^n^»T^hH, end r tew J sj fj hfr d bbi yiiaiu JMn^h^/^f p>>. - 

Consider rt>* foikwmg axiom syttemvP for DU 
Axioms: 

(A) ■■ /MP fautoiq^ of pie^arajuiMi iBfcyhij. - 

(B) All A-vaud L-wff*. -,-'-$.,, 

(C) Cx*e3P»P* for arr L-wff P. 



43 

(D) [Q?3P MQ=>P). 

(E) C«;/93PsC«X/5]P. 

(F) Cau/MP ■* (Lai? a C03P). 



Inference rules: 



(G) P , P=>Q 



^ P3Q 



Co3P ^ ZalQ 
(1) P=>Ca3P 



P=>Ca*3P 
(J) P(n+1) =><«>P(n) 



for an L-wff P with freen, s.t. n/ 8ttr («). 



P(n) = <o*>P«0) 

Rules (I) and (J) are called the rules of invariance and convergence respectively. 

A DL-wff P is said to be provable in P, written bp P, if there exists a finite sequence 
S of DL-wffs the last one being P and such that each formal* in S Is an axiom (or 
instance of an axiom scheme) or is obtained from previous formulae of S by one of the 
rules of inference. 

We first establish the soundness of- the inference rates which appear in P* 

Lemma 3.3: For any universe U, DL^wffs R and Q, and tt*RC, 
if NjjRaQ then ^ (t*3R =>f«3Q). 

Proof: Assume Ny RaQ, and JW«JR for some J«U. Thus for every |«U such that 3m$ we 
have $\FK. Surely then, from p**Q we have |NQ. Thus, JKa3Q. I 



.■*wisE- : ; 
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Lemma 3.4: For any universe U, Dl-wff P and erfRC, if ►gfPafcsJP) 

then ► u (PaC«*lP). 

Pro©/. Assume ^(PstoJP) and J*P for some ftli. We have to show JKo n ]P for all 

n. We proceed by induction on n. For b«0 JlwTP if JKrnt#?JP if JHfra* a P) if 
Jr*P which is assumed. Assume ^C« n ^P. iy hylPafcJPf we can obtain 

►uCC^lP a t« n X«}P), and then conclude JKw^MT or JWa^JP. I 

Lemma 5.5; For any L-wff P(n) and «*R€, where mf swr(a), 

if r* A <P(wl) »<«>P(n» then » A (P(i») 3<**>P(0». 

Proof. Assume r* A (P(w+l) » <«>P(n» and JMfnK We show Jb<«*>P(0) or 

JKSn<« n >P(0) by induction on n j. For nj«0 we have > (rru* A P(0)) or 

JKfn«?>P(8) which is HK*°>P<0). Assume that JN**>Pf&) hold* whenever 
#bp(m) and m^ « hj-1. fy r» A (P(n+i) » <«>P(n)) we conclude 3|U«| a 
#M>(n)) and n^ = n j-1. But then JN**>ftv?, from wh*h we have Jh<«X«*>P(0) 
or *K«*>PTf% • 

We remark here that the rate of In variance (I) can be replaced by the induction 
axiom scheme 

E«*KP3C«3P) a (P=*«*S»>, 

which is derivable from P, and from which, w P, rule (I) can be derived. 

Theorem 3.6 (A -soundness of P): For any DL-wff P, if hp P then * A P. 

Proof: Foltews from Lemmas IX, 1.7, 2i t 13, 3u4 and IS, I . ■ 

We now apply the general Theorem of Completeness of the previous section to obtain 
an arithmetical completeness result for P. However, Hi order to apply that theorem we 
have to prove that P is A -complete for formulae of wit forms RafwIQ and R=Ka>Q with 
prograrn-f fee R and Q. Those two results, Box-t uiiaitetoiMi {Theorem XfJ and 
Diamond -completeness (Theorem Ml) am obtained iMttogousty. they are both proved by 
induction on the structure of et. The difficulty is when * is of the form 0*, in which 
case we show that when, say, R=€0*)Q is A- valid, then there li a way of proving that fact 
in P. This is done by exhibttmg derived rules { P) ami (JP) below to cover these cases, 
and proving that they can be applied. 
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Lemma 3.7: The following are derived rule* of P: 

* H '* PaQ 



<«>P a<«>Q 
(!') R=>P ,' PoC«3P , P=>Q 

(J*) R=>3nP(n) , P(n*l) a <o>P(n) , P(0)*Q 



P and n as 



R3<a*X3 in role (J). 

Proof. (-H')i From l- p (P^Q) v»e obtain, uiirtf (A) and (G), h p (-Q 3 ^P). 
Apply (H) to get Kp (€*3-Q ofarW, then (A* and (C) to obtain f p (<«>P =» <«>Q). 

(!'): From r-p (PatodP) we have by (I) hp (PaCar*!?), and then using 
Hp(R=»P) and (A? and fC), we obtain *p <R=***3P). Item r*p FsQ and (H) we have 
Hp (ta*3P 3 C«*3Q) and thus gain with (A) and (C), H p tR=<«*3Q). 

( i'h Like (P) but using the fact that from fcp <R^>Jf»P(n)) and Hp (P(n)=K«*»Q) 
we can deduce Hp(R=»<«*>Q) using (B), (A) and (C). I 

An L-wff P which A -validates the premises of (I*) is called an invariant of a with 
respect to R and Q. The concept of htvariance has been studied quite extensively in the 
literature on program verification, see for examptetWl An L-wff Hn) whkh A -validates 
the premises of ( J' ) we term a tmvtrgmt of ff with respect *© R and Q, This concept 
does not seem to have received adequate treatment 

We now show that it is always possible to find an invariant of a wrt R and Q, 
under the assumption that the conclusion of rule H'} is A.-*vafid. 

Lemma 3.8 (In variance Lemma) « For every «r€RC and DL-wff* R and Q, if h A (R=*«*3Q) 
then there ex isU an L-wff P such that l" A (R3P), t» A (P=»C«3P) and * A (P3>QK 
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Proof: By Theorem 3.2 there is an L-wff P which is A -equivalent to t**]Q 
(i*. >= A (P2Cer*]Q) ). Certamly by * A <R3C«*3Q) we have * A (R=»P). 
Similarly, it is easy to see that I s A (PaQ) and ^(PaCat^). * 1 

Theorem 3.9 (Box -completeness Theorem): For every ar*RG «Wl*l-wffs R and Q, 
if ► A (RaCai30) then Hp (RaCftlQ). 

Proof: We proceed by induction on the structure of at. Assume the assertion of the 
theorem to hold for any fi which is "smaller* than « ht the obvfeau inductive sense, and 
assume ♦ B A (R^«1Q). 

For o an assignment or a test, (G) and <D) reduc e the problem to that of "proving" 
an A -valid L-«ffy which is simply an axiom. 

If at is pW, then proofs in P of («aW3Q) and (RaOTlQ) can be combined by If) to 
a proof of «3Cp\^*3Q. Each of these being A -valid, w* «e the Inductive hypothesis for 
both. 

If a is 0;p" then we prove R =*£&"£* 3Q in P in the foHowmg way and then use (E) 
to obtain the desired r- p <R3C0;inQ): Certainh/ we have tyPOTlQ) and hence 

•^(RaQDP) , where P is an L-wff which is equivalent to W3Q (and exists by Theorem &Z). 
However, R3C03P being A-vaud, we apply the inductive hyaothmtt to obtain ¥p (R=>C03P). 
Similarly we can show hp (P^flTQ), and the* r-p 4JW 3 £WE£3Q) , from which, 
using (A) and (C), we get r- p (RaCjMTJlQ). 

For the case when at is 0*, we simply use Lemma 18 which guarantees the* existence 
of an L-wff P which renders the premises of the derived mk (D A -vahd. By the 
inductive hypothesis these can be proved in P, and th e n ant a pp li c a ti o n of (t*) yields the 
final result. ■ 

Similarly, under the assumption that the conclusion of {%) te A -valid, we can 
always find a convergent of ft wrt Rand Qs 

Lemma 3.W (Convergence Umma): For every fttRG and DL-wff* R and Q, if > A ( R»<er*>Q) 
then there exists an L-wff P{n) with n/f mii «)« such that # A lRa3nPfn)), 
*= A (P(n+l) =>«*>P(n)), and * A (P(0)=»Q). 
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Proo/.- By the proof of Theorem 3.2 one can construct an L-wff P(n) such that for every 
state J«A and natural number i, if n j*i then <«*>Q It equivalent in J to P(n), This 

we can write (slightly abusing notation) as K(Vn)(ttof(n) => «« n >Q * P(n))). Certainly 
by * A ( Ra<«*>Q) we deduce * A (R:>3nP(n) )f Similarly, It Is easy to see that the other 
A -validities hoW too. t 

Theorem 3.11 ( Diamond -completeness Theorem)* for evejy atfRG and L-wffs R and Q, 
if > A (R3<a>Q) then>p(R:**>Q). 

Prajf.- The proof follows that of Theorem 33, using the derived duals of (€MF), and 
using Lemma 3.10 instead of 3.8. I 

We can now conclude that, for DL-wffsi A*v*l»dlly and provability in P are 
equivalent concepts: 

Theorem 3 12 ( A ri thmetical Soundness and Co mpl e t e nes s for DL) : for any DL-wf f P , 

* A P iff >pP. 

Proof. One direction is Theorem 3i| and IHeolhl* follows from Theorems 3.1, 3.2, 3.9 
and 3.11, together with the fact that (A), (B), (C) and (H) are part of P. I 

Theorem 3.12 is significant in that it shows that a very simple and elegant axiom 
system is sufficient for carrying out the (A -validity -pwsei^itt$ translation of OL-wffs 
to formulae of arithmetic, in a structured manner. As we point out in Section 3.4J., 
viewing the process of proving properties of programs as strpptytng a proof of a formula in 
an axiom system which takes all the validities of the underlying first-order language as 
axioms, is due to Cook 1121 This observation then, gives rise to viewing such axiom 
systems as mechanisms for carrying out this translation. 

Appendix B contains a proof in P, of the A -validity of a nontrivial DL-wff which 
asserts the total correctness of an iterative version of McCarthy's C403 91 -function program. 



We remark that P is also an arithm«tica«y^omptett system for rich -test- DL (see 
Section 2.33). Also, random-DL (23£) is completely axtomatlied by adding 
the axiom Cx«-?3P * VxP to P, under the condition that in a 

universe A, the only x's we allow in random assignment statements of the form x«-?, are 
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uninterpreted ones, Pratt C52Jhas spelled out the vctom to fee added to P, in order to 
completely axlomatiw array-Dl (fcli). 

We also note here that we have used a w m?eakeit an t e c e de nt* approach to proving our 
completeness theorem. This can be seen in our taking P tot the proof of Lemma 3J (resp. 
P(n) in the proof of Lemma 3i0), to be A -equivalent to E**3Q (resp. <«t n >Q). A different 
proof of Lemma 3J (bait not of 119) exists* e mpj o ytog- the dual "ttroipgfft consequent" 
approach. This proof involves taking P to be A^equtvaJoatto jQJbfT^t, where m(«~) i» 
defined as ft J^H (|,J)fm(a) J. A c l ar if ka tt on of mis otoer vM i on appears in a wider 
context hi Section 63. 



3.9 A De-rivod AacionMs ttais i t l ogi of BAH*. 

In this section we supply an arithmetically com ple te axiom system Dp for DDL (see 
Section &3»4i and compare it to the lytfera* of Hoare C232 and Vang C$91 DP is basically a 
"special case" of P to the sense diet Its axioms and rules are identical to, or are 
straightforwardly derived from, those of P. rfafothsllij^ oua nojnt in carrying out the 
synthesis of DP from P is precisely to exhibit me way to watch spectol^purpose systems 
such a* Hoare's can be derived from a system such as P. 

Consider the following axiom system MP for DDL* 
Axioms; 

U>, (Jft, CO and iU as to P t 

(OFF} LifStkmmdmJm* (im*m <^k$ ^ifi^QU- 
Inferenc* Rules- 

(C) and (H) as in P, 
in (FaSI =» C«3P 



P a EawWr S *» »K Pa^SJ 
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(J") P(nH) P (SA<^P(n)^ f P($J?hS 



P and n as in rule (J), 



P<n) =><»hile S do a>?(0) 
Provability in DP i$ defined as usual 

Lemma 3.13. For any a and in ID, DL-wff Q and test S?, the following are valid: 

( 1) Uf S then « «ft« TO V-* tfSbfrfe) a(^3 EpTQ) ) , 

(2) IwMle S do aft ■ C(§?;«)*KSyQ). 

Proof: Trivial from the definitions of the deterministic constructs in Section 234 and 
Lemmas 1JI and 1.7. 1" ""' '" '.'~, 13 ' ' !r '" 

We now show the soundness of rules (D and (D: . 

Lemma 3.14: For any universe V, DL-wW P, a«i5 an^^l^, if 1^(fP^aCilPli 
then *y( P^CwjW^ S do *H Pa--S) ). 

Proo/ We have hyf^tSaCedP)) or ¥Af *$$&).. By^Lefnma 3.4 we have 
►y.(P=*(S?;«)*lP) and hence also ► u (P3cis?;«)^f^PA^S))) which is simply 
N u (P=>C(S?;a)*;-S?3(PA^S)). I 

Lemma 3.15: For any L-wff P(n), test S? and ««RG t where n^wr(S?;a), if 
N A (P(n+l) => (SA^P(nM and .k A ($(0«:*$fc -IftpkAlgi&ta) ? /<**«« &<fr «>P(0)). 

Proof. By assumption we have >> A (P(n+l) p <S?i(tfP(n) }****» by Lemma 33 M*o 
N A (P(n) =» <(S?;a)*>P(0». By the second »Mwi|U t i » n, we dedttte thai *» f»ct » A (P(n) 
a <(S?;*)*X-*S a P(0))) or h A ( P< »)=><(«?;*>* j.*S?>««)>. * 

Theorem 3.16 (Arithmetical Soundness and Completeness for DDL): For any DDL-wff P, 
► A P iff h DJ9 ?. 

Proof: Soundness follows from Theorem 3i and Lemmas 313(1), 314 and 31S. 
Completeness foitowj precisehMn the footsteps crf*»p«e4^Th#ar«fm 35, iil and 
312, using the foHowinf twvderiverf rules of DFt' -*m .tm^prta ■;■:■ ^ ■ r- 



so 



It 3 C*MtS*'«iR? 

'" '»'* " " * '■ ■ ■ mm i n ■ ■ - i i ii - ■iiiK n iiii n iiii B iii j ii **mm*im*m ,> t^ *m u mM » im,»i^mmml m] l ■ ■ mum m i n ■ iii r ■ i i ,,, 

We remark that (F7 is precisely Hoar^i K71 inference rait for proving the 
partial correctness of atftft programs. He w*w ?{*}< i. t !!%g?$a0l,,, Abo, (D is 
precisely one of Wang's W93 inference rules (ruteT7 of lev proving w for** 

correctness of »*!#* programs. In fact, DP wttfiear n*he ( K> and (D represents a simple 
rephrasing of Hoare^ FJTO orfs>taJ system. ^^ , 

rules to be derive* in an easy way from the mere feneraf '# br whteh the rates for «* are 
concise^ uKurti¥«ty appeaftnt;, w»d quto war to 



We refer the interested reader to the aarvef tXB to which we present more 
observations concerning ether axiom system* and proef mthods for reasoning about regular 
determ Inisttc programs, which appear to- me am*smr& 



3.4 Rolaterf Work. 

The aftmttch to axkmwfestten taken in this then* fc closely related to, and was 
inspired by, Coetfs EMI notion of relative- umipHHiuH. Iff Section Sell! we take up 
the task of compartwg ttte two s oo weuhw ; Skthm M2 h UtPutttf tb thr description of 
the apprwfth adopted by?hhrfc«»«fc»€vl$i»Kerwoift ohttt> atpd#li# itg#df Satwiekl 
CS93. She' uats inf initary mfne no i tt iiei m an wiMam i e n siw r sn ch^au et i tt thrvahd : 
(as opposed to U -valid) fomroise of tht» logic 



3.4.1 Relative vs. Arithraotienl ConnpUtonooo. 

As we indicated m the pncvkws tooorf , Hoare E313 intrcdoced an axiom system for 
the partial correctness of programs, one wt^ is b«sica% a sobsyetkm o? @P. For the 
sake of this dtocosston we can in fact think of the con e i pondlng subsystem of P 
consisting of f M&,.. (€) -CG|: and role (\) at Hoare** system and denote It by ». Cook C123 



^■^.Wtf^-fti 
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Investigated the question of completeness of Hoare's system and managed to formaltxe what 
seems to be the intuitive way tn which people prov^ o^rectness ( partial In this case) of 
programs in line with the method suggested by Floyd ttt] Naur C461 Cook separated 
the reasoning about the program from the reasoning aboiM the' ymg language, making a 

distinction between proving, say, Cx«-l!) and proving* t*X» ^lit^). the former stiff 
requires some pitigiam-wftnled'i^^ 

formula, whereas 'the second does not Thus, Cook's fcfc* was to supply Hoare's system with 
a generous oracAf which had the abittty to a i nwtr q uc ili oiu cd nt wmti g the truth of first 
order formulae. In this way he*was abte to »hm ceneentratJOrt toHoaiVs ru*n 
themselves 5 which were to serve » ; aj : a stoat : fot j i e f fi ini ai ^%' r it'i |l ^ i i » step transformation of 
partial correctness assertions (of the form PaCerJQ) into e^uivatem first-order fofmulae. 
The truth of the latter is then checked using the made. 

We now formally define Cook's £123 notkm of relative cm^ 
terminology wg have developed. Assume given a languagf L' which mcktdes aH fkst -order ; 
formulae as wffs; thus L is partes* V* Asanas* AX &* sound axiom system for V and 
denote by AXy the system AX v {fitfrMjl and >y PJi in other words, AXy is AX 
augmented with all the U-vahd ffrtt-order formulae as further a Jrtoms. AX Is said to be 
complete for V rehuimto t Jf for every untosm U sneb that i fc U-ein?ressive for L', 
AXy is U -complete for? I! (ewy y^yaikfcy^ 

Theorem 3.17 (Cook C12D)* H is complete for {I=>£«dQi R and Q are L -wffs} relative to i. 

The proof is in fact identical to that of our Jtat-comptateness Theorem (Tbm. 35). 

Now, if we restrict ourselves to languages L' such that for any arithmetical 
universe A, L is A -expressive lor L', we note that arithmetical .completeness is a special 
case of relative c om p l eteness; we do not rtouirethmt AXq be U^oomptete for otf 
universes U which make I U -expressive for L', -but only that that be the case for any 
arithmetic*! universe. Consequently then, rt AX ttsetf we aai use symbols |r« ways which 
take then* standard Interpretation for granted. TWi Is the flavor of the usage of n, ♦ *:■' 
and in the Rule of Convergence (rule (1) of P). 

The flurry of ^positive" rwearch which fbtkiwed Ccok's observation, and which was 
aimed at providing similar resuto Icy varicass eatewlon s and vati^ions <if the 
programming language ..(«*> BI3, £24} and £473) led mevitably to a counter-effort of 
"negative" research aimed at proving incompleteness results which indicate when Hoare-like 
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systems are doomed to be incomplete even in tN; relative s«n«e of Cook, The first notable 

result in this direction is that of Wand WJJ, w ^|f thai it is not the case 

that L is U -expressive for evtry universe % Thus Wand shows the* *T« exist universes U . 

such that AXy is n<* U -complete for l# More receothv Upton C3$I claims to have proved 

the following very interesting char act* iiatton of tbeje >oc4 h universe*; L if 

U -expressive for l^, #jf U ,U,#r* s^tthmrtical ttaiverse or a universe wi«;h a finite domain 

(call the latter a^^tJi»i»e**eK Thus ar,ffniirt^^tiiiscla^^he only universes for 

which a Hoare-4tft#jSyttomifa^ 

finite one*. So Coed's CU3 lequdrero t nt be^do^te reeling that AX be U-comptete for 

these two kinds of universes. 

The finite universes, however, cause trouble: Clarke DOI has shown that 
introducing ( into the progMQ 

various programming concepts such wpre^ m the 

presence of recursion an* other teasonaitie meeboniims r pi ip e r ose the possibility of 
obtaining rehittvely compkNe aaiom systems. The^ a i ^^ ir»Elftlt» based' on .the fact- - 
that the fir* order language L lhfef*piftttl"*,wJf' l^ for any fhtUe universe & The 
incompleteness resuhs are then esUbHihad byiheteiwg tMi theatcompJe* .pfograrnnUng 
languages -have an undosidahte ha hiiiy uiu hl erw «^- flnUi i kwiialU i t 4and heae*4ho*et?o£ - 
diverging programs is not r<e,, a fact which wouki cofth"adict the existence of any 
relatively- oampjite'lioa^ 

implying that, in particular, the set of valid formula of she form rr«e=€«y«/w is r*.). 
Hence,, the esosruMo£<£bwhe&ta ; 

of L is satisfied by universes with ftitiu domains. 

The research of Upton and Snyder £363 and Lipton E3S3 culminates in a 
generalization- and extension of Clarke^s wsuks, vw^ y thaoiorn C Theorem i in E3&3) which 
seems to tie up as equi vtetu the Mwo p ro pa rtc t of a Bra>ramwie< t s ngut gff s U) ' having a < 
decidaWe h»kmg prohtew over £iruw> universes, aad 4^ ^ » • < <^ ft»rrnM4iM- P^e^ over 
it being- r.*Jfti those* wf aft U va h d Lw^fs/for any U suxh tfwt I t»U^^pwssive for:, 
L R . 

We conclude that relaxing ?.Um re creme n t and re<iu^ng that AX y be U -complete 
only for all artt&R*ice/ u n i v e rses (to play i ng 1 ou r s i ithw X lhal sw a phxn esa game) 
seems a t^a«onable thmg todoeeenyer tki r^»arl»e? r iwtfie|»^r jpa#et«s*iwrtn»»f, Lj|. ., • 



ssssk-iiu-. .- "-m»: 
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In addition, it seems that in order for axiomatizatipns of, much richer logics 
tike, say, DL (and the logic* appearing in the sequel, €ttfL, ADt> Ot* and CFDL*) to be 
relatively complete ( i« that they work for finite universes too) , the rules that involve 
arithmetic (i* rule (J)) would have to b« modified to deal with the finite-domain case, 
and would probably result in a system which is far Mi natural and elegant 



We are of the opinion, therefore, that the finite domains crept in because 
(1) the concept treated most extensively by researchers m 'the area was partial 
correctness (CalP essentially), and (2) a weaker kind of wpfe^veisess'is needed to 
ensure the existence of an elegant relatively complete axiomatization of this particular 
concept on its own. 

Thus we feel that it is natural and beneficial to aftow the integers Into ones 
reasoning language, in order to makepossi we carry out in P 

(and later on in rt, P* etc.). 

Note that by adopting the "fjoare spirit" of structured, natural axiom systems, the 
remark in C67, pp. 901 "if the language is expressivVlfil W*M NfcV wr#ddwn a 
complete axiom system for partial correctnest" beax^ I rw^va^H . We are not interested 
in a one-rule system which has bulk into it essentially the fun" description of how to 
Codel -encode any wff and how to construct the equivalent formula of arithmetic Rather, 
we want systems for composing our formulae step by step* using various kinds of assertions 
on the way. Of course, the proof that these tyUtm *rt compete mtghl involve relying on 
the expressive power of arithmetic, and hence might caU upon the use of Codel encoding, 
in turn making "the formulae — be less than perspkuou«*t67J ( a* is the case with our 
completeness results which at various points require finding the arithmetical equivalent 
to formulae). Nevertheless, we believe that the iuuttobttim of these systems contributes 
considerably to the understanding of lffe lowu y ts tnv ol v^ andvpiwtdest^e fr amew or k in .. 
which the natural and intuitive proofs one might have for oiWiprograrru can be fonmiiatod. 



3.4.2 Infinitary Axiomatization. 

In 1910 Salwickl C593 introduced an eigmttitmU hgtc(kl) which is very close to 
PL in many respects, the ntaln difference b eiii g That iU, is d ei gned to lawson about 
deterministic ' regular propamt only. Varieus dlnjutieiii of rtsearth were foiiowed by the . 
researchers at Warsaw mitiated by SatwkM, and w*a W i« Ut s *# l Bkowsk» E4n addressed 
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the problem of axtomattiing AL. (See [73 for a survey of their work and C211 for a 
comparison with DL.) 

in this section we wilt not attempt to define AL, nor will we state any of the 
results relevant to it We wW, however, five a brief description of an mfmitary axiom 
system IX for DL, derived from that of £41], and state a completeness theorem for it This 
theorem is ei ■■<s*eai»«^_«*ir#1filt 't% cTetiilea" proof 

( supplied in C421) of the analogous theorem for Al vHifcti ''appears in 13. 

The objective in constructing IX is entirely different front that of constructing 
P; the idea in IX is to provide a syntactical characterization of the valid DL-wffs, as 
opposed to the U-vaiid ones for specific universes U Consequendy, as ; we shaH see, IX 
seems to be inadequate for proving properties of "interpreted* programs which operate over 
specific domains, and which use functions and predicates over these domains, having their 
standard interpretations in mind. 

IX is an axiom system, which makes use of the foftewing tw© toob for dealing with or*: 

The axiom <«*>P ■ (P V <«X«*»F), 

and the rule 

{ R=*a*lQ )* ■ 

(«») : 

R=ter*JQ 

Besides these, IX includes the axioms (A), (D), iM a*4-(F>, two rules for Vx, the axiom 
laH PaQ). => (C*3P a Co3Q) , and a more complicated veafcm of (Q catering for 
the case where P is a general DL-wff. Also, (£) U an inference rule of IX, as is the 
rule o 



C«JP 



A proof of a DL-wff P in IX i* a tree with root labeled by P, in which all paths 
are finite, and in which a node and its im med iat e ancestors are labekd in accordance with 
a rule of inference, Hie fcstfa being labeled with insnmces of axiom*. Surely, by virtue 
of rule («>), a proof -tree might be infinite; the crucW pomt, however, U that all paths 
are finite. 



"■'-' ■■'•'-- ."j-* — -*-./■■■■■: ■■''■■. ■""."■>.>"''.■■'.■■'■ ;~v- ■'■■:■■:■—■.■ v-* «™tw„ "J"-*" '* " *$ i *'3*' -**■•**• f ~#^''"J-"--'-::- : -'-" -.■'.■■ :--"-'- ■-■;■ -■.;■;■■■:■■■■>-■. ';,..---. 
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7*Awr«n i.;« (Mirkowska C4U): For every DL-wff P, J?P iff l- |X P. 

Thus, IX characterizes the set of PL-wffs which are U-va1id4£ every universe U. 
P on the other hand, is designed to characterize the sets erf DL<rwffs which are valid in 
arithmetical universes, Specifically, assume A is some arJthmet^al universe with.,, 
uninterpreted function and predicate symbols, the set of A-valid.DL-wffs and the set of 
A -valid first -order wffs are both fl| scfpojefe? se^s* ,0uf; axiom system p "gets its 

Ilj power* from axiom scheme ( B) , i^ from taking trws elernents of the latter set as 
axioms. The rest of P then, can "afford" ©eing fmftary, IX afa* characterizes a 
Il| -complete set, namely the set of valid PL-wffs (see Theorem 241) , however it "gets 
its power" from the inflnitary rule (op) rather than from the set of axioms (which in the 
case of IX is r*.). We can think of this situation as a trade-off between throwing the 
bulk of the II £ -responsibility on the axioms or on the inference rules. 

Another way of looking at the relationship is to note that since one can assert 
the existence of infinite trees, such as proofs in IX, using /intf* sentences of arithmetic, 
it is obvious that one can indeed give finitary inference rules to supplement a set of 
axioms which includes all valid sentences of arithmetic, and stiN be able to assert that 
a formula has an infinite proof in the IX sense. 

Note for example, that the formula 

(*) nat(x) 3<(x«-x-l)*>x*0 

is an A -valid wff , but not a valid one, and hence the reader should not be surprised that 
he cannot see how to prove it using the circular-looking axiom for <«*> above. The valid 
wff which perhaps conveys the same idea as (*) is more complicated, and in it we have to 
replace nat(x) with a statement of the fact that x is accessible from z (standing for 0) 
via f (standing for successor) , and that f acts on the set {z, f(z), f(f(z)), — } like 
successor does on the natural numbers: 



S6 
(f(z)*z a Cy*-z;(y-f(y))»3{g(f(y))=y)) 3 tx*fc;<x*f(x))*X(x**(x) )*>***. 
This formula is valid, ami provable in IX by virtue of eatii elwient ©f the set 

{ <f(z)#zACy^z;(yH(y))*Hf<ffy»*y)> a'tmrf*«^1^(xeft<*)>*fe>2 J^, 

being provable. This can be done for fixed t by apBfyb^ the «iu«n above for <«*> exactly 
i times to <;(x«-gtx))*>, thus ^mraveiMq; the ka^* rnqiig> to obtain t**>, (In fact the 
proofs of each of these premises of rule l«) do net use (m\ again.) 



► u ■* ** J*****^, -**."* J 
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4. Recursive Programs: Context-free Dynamic Logio (CPDL), 

In this chapter we enrich the programming language we have been considering by 
replacing the * operator with a rewrite* operator on pi in a wett defined 

sense we obtain context-fret programs over as sign m en t * and* tests as opposed to the 
regular ones we had previously. 

The development of the material in thil chapter is strongly affected by the 
analogy existing between, on thWon*fnmdi ? the^^ 
construct, and, on tttroihe?, that tf 

construct tntrodticgd b c tofwfc, T hebetk ideas prai e nt m the »ck>reaystem» »ppe»ring in 
C193 and £233 for proving the partial correctness of recursive programs are captured 
concisely by our box-rule for the recursive program construct, much a* Hoare's C271 while 
rule is concisely captured by the rufe of mvsrlaftee of Sostson 3X Furthermore, we show 
that this rule is $inip^>an#MtaiN»,of^a-.pf#M(pl|ef- Raj& CSfcL .There is seemingly a 
drawback to our treaafsejifcje^fjig^^ 

of parameters in the propamsnbgg language. .Xbe. reason is %\ our. waiting to achieve a 
clarification of the mechanisms for reasoning about p*u recurskirt. Our experience In 
digesting the literature on this subject if **»*£ W most of j^he cases the 

presentation of the basic principles suffers from being obscured by rules for dealing with 
the parameters (i*. rules of substitution, adaptation etc.). We consider one of the 
goals of this chapter the elimination of these rules and the exposition of the similarity 
between reasoning about iteration and recursion. 



4.1 Definitions. 

The definition of CFDL is Jdtntkal to thatof DL, OKep* that a different set of 
programs, namely CF, is employed instead of RC. 
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Syntax: 

We assume given, besides the sets of symbols of Chapter 2, a set of program 
variables r tkmmts of which we denote by X, X^, X,, „. The set of program terms is 
defined as follows: 

CI) Every assignment x*-e, test P? < ariable X«0 is a term, 

(2) For aft* terms t^jt^, prop t~$ n m ®» and fof 

every 1=1, ^n, tr^Cg, Cjtrtj and **|X|^X n t 1 Cn rr »'C ||| ) are terms. 

The MjXj L ...X n (rj r -,t; n ) clause is intended, intuitively, to represent the 
program consisting of an execution of C ( where the appearances of the various Xi in 
the various Z^ represent -t^ tolling X, T4ius* we have nrwtuatty recursive 
procedures; The butt .«# rhfr>ch*pter , however, deals wliffc^Bert^s***** a* described 
below. 

An occurrence of X, in a term t tt said to he (atnrf if it ii in a subterm of the 
form UjjaCji.ffj,-.,^), and/re* otherwtefc A te f m with no ft^ otxttrrW Re s of 
any program variable is called dosed. Tn* set TV jlhjpir <i#»W IHpAMNm of *f*e set 
of terms, and iy obtairted by requiting that every ^^ w 
u i X 1 „X n (T 1 ,^,r n ) is closed. The set f\ of sii w pte temw ef wirff» J h obtatned 

from T by restricting the vatae of n m any subter f*V~**t? 

to be at most J* 

The set CF of context-free programs is taken to i be simply the closed terms in 
Tj. In Section IA we sketch the extension of our results to the case where the set 

of programs is taken to be T = "■U*S ft T » At this point though, we can omit 
subscripts and, in the flavour of the semantics given below, can in faoririopt ttle 
convention of denoting pXttX) by V*(/\. Also, we have need only for one program 
variable X to serve as a n pte«heiler^. T4«i^^|N^|lf^t^*y^P^'if«iitle^ program 
inCF. Context-free PL (CFPt) is defined just as Bt^ but tiswa/ 'Cf Inst e ad of l>C. 

Semantics: 

Ail we ready have to do here is define, for every «€CF, the binary relation 
m(a), over the grand universe F, which «e denotes. In sp ectio n of the definition of CF 
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shows that in fact all we have to add to the definition of m in Chapter 2 is how to define 
m<C*(/)). 

For clarification we will sometimes write V(X) for a term tr which has free 

occurences of X, and no fi^ occurences of aw 

r we may take t( a) to abbreviate t with aH ftee%cewr&*ceiWfc'*e^^ 

Define c°(«)* df «, and « l+1 (tt) « df Cft^*)). Now define 
m(**(/)) - df ^Jrtcty**)), 
which to some extent explains our use of ?*{/) to denote jjXt(X), 
Example: Consider the program 

*: z*-x ; ( ( vf&f }y«-l) u ( z#0fp**4 $ X jz**»i jy**)^ *(/> 

which is of the form i«-x;f*t/). Th« following h the program r*(y«/«?): 

((z=0?;y*-l) u(z#0?;z«-z-l; 

( ( z=0? ;y«-l) u ( zv*0?5***-l } 

«z*0?tf«-l) u (z#Q?;z*-z-l; 

/o/w?; 

z«*z+i;y*-y*z>); : 
z«-z+l;y«-y*z)); 
z«-z+l;y«-y"z)). 

One can check that in any state 3*H for which xj=2, we have JKz«-x ',zhf*ls<T)>thu, 

JKz«-x ;r 3 (/o/«?)3y?2, and for every n*a we also liavt JKz^x ;r n (/a/«?)]/oi«. 
Thus a, given x=2, computes 2 in y. Jn- general it can be seen that in the universe N of 
pure arithmetic, we have that m(«) is the binary relation {( J,|)| # = C(xj)! / y3j }, and 
thus a is a pi^ram comfwting /(Krorlo^ over the natural numbers. I 

One can see then, that (^)€m(c*(/J) iff there exists an integer n such that 
( J,|)«m(r n (/a/j«?) ). In other words the intuition is that "executing'' a recursive 
program t( X) which "catb Itself in effect at each appearance of X, is executing, for some 
n, the program consisting of allowing calls of at most "depth" n. Thus, a successful 
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execution of the factorial program above, which is of the form *»-x;(# U Y;X;0)*(/) f 
is any successful execution of z«-x ;y ;i;0 for some l. 

( We remark that in fact this definition is in perfect agreement wifh fixpotnt semantics of 
recursive programs, as defined, say, in C4] or CS1 Usin^tewnrnfltfogy from these papers 
our r's are alt continuous over the domain of binary relations, and therefore defining the 
meaning of .-|ijXj_.-X w (Xj f ». > t ) to toe the i'th component of the toast solution of 
the corresponding system of relational equations, m the sense of C43 and C263, is, by 
Kteene's £303 theorem, consistent with our deftrOHon of m( **(/)}, or m(jiXr(X) ). ) 

In the sequel we will need some additional notation to aid in constructing our 
rules of inference and in conducting our meta-reasoning. Mote that any .program «€CF 
changes the values of at most the elements of wxr(w), all of which «re variables. That 
is, a cannot change the value of any second-order function symbol or of arty predicate 
symbol. Consequently, -rm would tike to make It possltote to talk about binary relations, 
such as those represented by programs, in a first-order framework. We do this by defining 
an augmented programming language CP m wltlch there are programs corresponding to 
these relations. 

Formally, the set CP is defined as foNows: 

- For any L-wff P and vector of disjoint variables Z, P 2 is in CP. 

- Any assignment **e or test P? is in CP. 

- Any dosed term r*(/K*f j is in CP. 

- For any *,|KCP, or,0 and aup* are in CP. 

The meaning of P 'is given by the following additional clause to the definition of m: 

m( P 7 ') * { U,#) j # « EV /ZJJ for some vector Viif elements from Dj, and 

IZ|/rjy>Pj. 

Thus, P is thought of as having free variables Z and Z% where Z* ( m line with the remark 
in Section 2.2) is a vector of "primed versions" of the members of Z. Thus, for example, 
(x,y)' is (x',y'). Intuitively then, P Z Is the program whkh assigns ( n onUtf tci ntinisticalty) 
to Z any value V such that In state J P ft tfueitfrte value of Z m 3 and V. thus, P Z 
"achieves" between J and | the relation induced by PtZ.Z') . 
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Example: With Z*(x) and P(Z,Z') being (x'=x V x'sf(x)), we have that 

m(P Z ) =m(frtw?ux«-f(x))). I 

Now, CF'DL is defined precisely as CFQL but using CF instead of CF. Of course, we are 
interested in CFDL, not in CFDL, but need CFDL in which to carry out our reasoning. Our 
ax ioms and rules will take advantage of being able, In arithmetical universes, to 
construct an "achieve program" of the form P to correspond tp a given "real" program. 
Note that we could have defined CF simply by addmg P^ construct* to the set of basic 
programs ( i.e. besides assignments and tests) , and then defining CP to be the set of 
closed terms of width 1. However, we want to outlaw the possibiitty of V' appearing in 
c( X) , and then being "*-ed", U. we do not want programs of the form ?*(/) in which V 
includes an "achieve" program. The reason for this wilt become apparent in the proof of 
Lemma 4.6. 

4.2 Results. 

Theorem 4.1: For any arithmetical, universe A, L is A -expressive for CF'DL. 

Proof: The Theorem is proved similarly to Theorem 31, but here a slightly different 
treatment for t*(/) is necessary. It can be shown, by the encoding of finite sequences of 
elements of the domain of A (described in Section 11), that there ex i«s, for every term 
r( X) , an L-wff ITR r (n) such that for every n ITR r (iO "expresses" t n (y<dw?) , in the 

sense that m(iTR c (n) Z ) * m(T n (/<ttM?)), where fc&iirtt); Ai in Theorem 12, if Q L i* 
an arithmetical equivalent of Q then an arithmetical equivalent of <r*(/)>Q is 
InlZ'(natin) A ITR t <n) A (Q L )f ). ■ 

We now show that in fact RC is embedded in CF. 

Lemma 4.2: For every s€CF, 

m(«*) = m((fru«?ua;X)*(/)) ■« m«*ru#?u X ;«)*(/)). 

Proof: m(«*) = U™ Q m(a 4 ) « mitrw?) u Mm) u m(«;a) o - « 
m( false?) u m(rrtt<?) u m(a;fru*?)' u m(a;a;rru«?) u -. ''■ U^q m((fru«? u 
a ; X) '(/a/j*?) )= m((rrue?u a ;X) *(/)). SimiUrly for the second equality. ■ 
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A counter example to the other direction of the fact implied by Lemma 4.2 is the 
following program a*CF, for which it can be easily shown that thwe does not exist any 
0*RC such that m(a)«m(#): n 

{true! u (x«-f(x) ;X;x*f(*)tt*t/). 

Thus, CFDL falls between Dt* and r,*.-DL (see Section 235). Consequently, Theorems 
2.8-2.11 aw true of CF0LY It would be interesting, in Urn with the open problems of 
Chapter 2, to know the answers to the fli Rawing ) 

Open PrMem? is DL < CFDL? 

Open ProMem. \s CFDL <r*.-DLl 

Note the analogy between «* and «*(/) , which can be clearly seen by relaxing 
notation and writing 

«* = U n S ft " r *W " *Co«"OW<rf>. 

Co*3P = Vnto^P t**(ffW • Vht^ktoniP, 

<a*>P = 3n<o n >P <«*fyt>P * 3iKC*(/«/m?)>P. 

In the sequel we will write Z?Z' to abbreviate A^/(x*x% and will assume 

that for program* of the form P, Z and Z appear m that order in the parenthesised list 
of free variables of P. Thus for example,. P(Z"^*J( wiH abbreviate |§". Furthermore, 
we will assume that in the context of a given universe U, the elements of Z*, Z" etc 
consist of uninterpreted variables. 

We now show how to express the fact that P 2 is an upper or lower bound on the 
relation represented by a program a, using DL notions. 

Theorem 43: For any universe \J and *«CF, if Z=wr(«) then 

(1) ^ u (Z , =Z3t«lP(Z , ,Z)) iff m(«)Cre|P Z ), 
and (2) ¥ u m7.#) :> <«>Z'*Z) iff mtP 7 *) C m(«)i 

Proof: (1): Assume >g4Z'cZ a C«3P(Z\Z)) and a**** U ,#*»(*). We have to show 
that |=CV / Z3J for some vector V of elements of Dj, and that IZj /ZWP(Z,Z'). The 



*.» * j -JW.-I *i+ • » ► " , ■> ^wVV>^«^8»f£5ii<»3N''>*?^~>»-^ >' >- *■••«' * 
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first is trivial by the fact that Z=w(a), ^<^by,|^|^te^ rfin{^, and 
since a does not change Z\ if (34)*$i$ then tjfr$$)imlm) , wheVe J*«CZj /Z'lJ 
and |' s CZj / Z*3| = CZj /ZIZj /ZM. However, by die assumption, since we have 
constructed J* such that J*HZ«Z') f we must ha^l^^^hor ^/ Z'IZ|/Z]*P(Z , 7), 
which is the same a* saying CZ|/ZMW(Z,Z*). 

Con vcrsety, assume w(«)c<n(t >Z ) > aad esi M im thetfoy jomt ftU we have JH2?*Z\, 
and that ( J,|)<m(«). We must show that $HN&&. By assumption, ( J.JJtmCP 32 ), an 
that CZ* / y? J>»H Z.^^/ whkih by MZ^^is eautv a iiiu tog j/ ZJfrP^Z), 1 l l ewprf r, 
by ( J,|)<m(«) we know that ><Z^/Z3J, » that IhrCZ'^). ^ 

(2): Assume hyCPt/.Z') => <«>^Z)), and assume ( J^mfp^V. We prove ( *,#>*«. 
By the second assompW», CZ* / Z'lJWZiZ*) ?Wim*f *he *rsf w»4wv« 

< % , CZa^UDfiaif )k finally, free* |«*V /£U ftp seme V we^enchide that %AXf^h 
and hcnoe that (i,|)fm(ej). 

Conversely, assume m(P Z )cm(«), and that for tome $ftiV jMWiZ 1 ). We show the 
existence of #*U such that (J ,|)«rn(o) and ZyZj. Take j to be CZ*j /ZM. 

Certainly Z'^Zj. Furthermore, by the definlttonWr^, smceC5 , j/Z , 3J U 

simply J K4«lf, and since we assumed that JHHZ^), we com^ that ( J^MrMP 2 ), and 
hence U ,*><«(«), I ' f 

We not* that remark! to the extent thai Theorem 4.3(1) boUs are implicit in various 
places in the literature, and in particular we workou recoiest* 

We now present some results, all derived from well known properties of binary 
relations, functional* and least flxpoints. Ho w ev er, since we win use them tft the next 
section |o construct our axiom system we stale them in total of . relations of Hit form 
ro<«) for some a«CF. 

Umma 4.4: For any «,o*«CF and term t(X), if m(e#t^^^ 

Proof. This is the mmotorUctty of our Cs over the domain of binary relations, and we 
omit the standard proof. I 
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Lemma 4.5 ( Park CS11): For any ««Cr and term t< $} , >ff mW«) )Vm(*) 

then m(*%tflcmti»j. 

This is Park's C$13 Fix point Induction Principle. 

Lemma 4.6: For every « , « 1 ,.<CF , I and term C<X), tf m(«ft)=p* and if furthermore 
for all ISO we have im^^mf «4<r,)t, then for alt iiO, «<« f )Cm<r*</) ). 

Prw/- By induction on *. For l=fi w* have m(*t^»#tf *of)»^< ^C^ 5 **) >* 

(U °n=0 «(« n (/Ww?)))«ni(t*(/J'l. Assume m(*,)^**rj9f , *> that by Lemma 4.4 
m(c{a,>)cin(T(c*j[/))). Thus we have mU^cmtlcUpjCmi^rny))). However, 

one can show by induction on the structure of TtkmmiPi^^^iff^'^y s 
U'JJLq m(r(r n (/a/«?))). (This fallows from the continuity of r over the domain of 
binary relations; cf, t51 Wenbte that tro* would .fcWlilwM«ttUr|4Mrt'jrU ,> 
would have allowed achieve programs of the form P* to appear in the terms.) And so we 
have m(a j+1 ) c U™ j m(v n (^s*?))«m(T*(/)). ■ 

4.3 Axiomatixation of CFDL. 

In this section we present an arithmetically complete axiom system R for proving 
the A -valid CF'DL-wffs; as a coronary, of course, II is arithmetlcaHy complete for tFDL 
too. In the sequel then, A is any arithmetical universe, and we adopt the same 
conventions regarding formulae with appearances of ri, m,_ as UiUettlon 35. Abo, the 
"achieve" program corresponding to the L-wff P(n,Z,Z*> will be denoted by P(n) . 

Consider now the following axiom system R for CrDl*. 

Axioms: 

(A)-(F) fromP, 

(K) CP Z 3QMVZ")(P(Z,Z") 3Q|") for L-wffs P and Q, 

(L) (Pa Cr*(y)3Q) => ((PAR) a Ct*(y)3(QAR)) where «tr(R)nuar(t)=^, 

Inference Rules: 

(C) and (H) from P, 



)WV -*• ' - -in • - #»• ■-*(. I- ^-»«4*- s *^V^*- a ^-*^. - "'»£»^^ 
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(M) Z*»Z p MV%)Wl%$) '.^ 



Z«=Z d CT*yp3P<3P^a 



Wt), 



PCn.Z.Z') => <«*^>Z»Z' ■-.•^JWtftiFW'! 

Provability in ft Is define* » uwnd, ;^|MqWH»W» J fc W l< B<i 1Wlf4 "9f^Sif^ it, ^? y ? 
"carrying" R across a program whan that program cam* rft*tth« truth of R. we now 
establish the soundness of the add Wec*e1 a»*01W and *fiywmjr&n. t - 

Ltmma47: For any L-wffs T and P(Z,Z*), CTDL^fls^l^S, term r(X),the 
following are valid . 

( 2) ( S a cc^W ^40A»MJ»^3tQAiW* mhmjmi WfW tr)«af 

Proe/; Straightforward f rem the dtfl»«OBS. * 

« . * . ... ■»- \ / ""*•** ;*"- "?' - *;., < • - 
Umma 4.8: For any oniveiae^^U-^l^r^lX »o4 Jetm,** "W^H^* tf > 

Prop/.- By f he«WiaaN»t hypothfrtt is liiA-ia t^l^^PB^^-^ai^'i.: , 
principle (Lemma '4^) we oU.tn m(T*(/»— <#% I i lii l i t f n * ^BwWffllliMU* # 
precisely the conclusion. * • 



Ltmma 4.9: For '-my t-wff f&^lh******, 'mmw4*mk$-*'A3™*W» * 

► A <ptn>:,z*) 3 <*i*qw*W).* ■-; - r ^ * • - * ";„ ! ^* ,( n _ ' " !! ;* " 

Proo/. One can show that ¥tfmj&l ftftft ^t^#W^*1l«l^««^^^^>^- 
Furthermore, by TtN*mmvU(f| teaman* "Wl^J^ffl^^S^ ** , -a. 
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Theorem 4.10 ( A -soundness of R): For any CFDL-wff P, If *■£ P then ► A P. 

Proof: Follows from Theorem 3.6 and Lemmas 4.7, 4J and 4J. W 

Again we will apply Theorem 3.1 to prove "ihe artMtmedeal completeness of R, but 
we are required first to prove the appropriate Box- and Ptamond «comul e t e neM theorems, 
these win be established with the aid ofs 

Lemma 4.11: The following are derived rules of I? where Z and n are as in ( K) and (N): 



R=*t*(/)JQ 
(N') P(n*l,Z,Z') =»<r(P(n) Z )>ZsZ' , ^Pf^y) , «^3»<Pfii) Z >Q 

-'V''-.' 1 ■'.'■■■■•:' -~v':>;i:- ■'-,,; : : - : ' : •■ ^' ■-■.:;■■ '\j, .,.. ■ •;■'> ,, ■' .'.':...■. ., j : ■ 

■■ ' ' ' " ' i't" : i ' ■ i ii V h m i ii K i I ■"■! ii.'r f fr i ilC ■ i lilfo g lih fc |' I ;Vn ii . li frMUL ' ■ ' !"■>" ■" .* « fo. i fc*J i ' MM ' l!' 

R:*C*(/)>Q 

sf ';>v.Vr ;■;■-..■ ,:"V/ K v S ^ -;":;,..; '■" : ■./....■ . 

Proo/ (M'): Assume rj^Z^Z = Ct(P Z )JP(Z , ,Z)). We apply (M) to obtain 
h R {T*7. => Vt^-mTM). B«ngaxiomtb)weg«i^4i^eA 

iV7mH7:;n*$f)) 3[c*(/)3(P(r,Z) A(m(H*,Z-)»Q|")))) > from 

which we aedoce#-^((^ri(PtZ,Z->^J »it^^@l^ Thus, by a*iom IK) 

and the second as^imorien ^ie coniduslon ToJIbms. 

(N'): Similar to (M*). « 

Note the similarity between rotes (D and ( J*} of Lemma 3.T w one hand, and (W) 
and (N*) on the other. Her* too, for fher r.t*^)3 jtay^^ are aw e nU aHy jkwMng Jor what 
we might call an "invariant" P under the application of t, rt ween" R and Q in 

the sense of RaCP*3Q. For the <t*(/)> case we are "counting'' the number of applications 
oftr needed lor being able to termmace in a state satisfying Q. , 

We now show that rule 0tf) can indeed always be applied when its conclusion is A -valid. 

Lemma 4.12 (Invariance Lemma for CF*DL): Tor 'every term %f 3t5 ihd €F , DL*wff$ 1 and Q, if 
► A (R=»Cr*(/)3Q) then there exists an L-wff P(Z,Z') with Z*s»r(r), such that 

► A (R3CP Z 3Q) and ¥ A (T*Z = Ct(P Z )JP(Z\Z)). 
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Proof: Implied by the way Theorem 4JL Is proved is the fact that there exists a first 
order formula of arithmetic ?{Z t T) which "represents" the program X*(f) in the sense that 
m(P Z )=m(t*(/)). Certainiy then, by the M»«npUof», we h*ve»» A (R^P Z XJ)- AUo, •* 

noted in the proof of Lemma 4£,rm:ctt^/)))^ **(#?, and to we have (n(r(P^)«m(P Z ), 
which by Theorem 43(1) is ► A (Z'sZ a trd^JPtZSZ)). f 

Theorem 4.13 (Box -completeness Theorem for CFDL): F« evety artCF 1 and L-wffs R and $, if 
h A (R=>CcOQ) then l- R (R=»Co3Q). 

Proof: The proof follows Theorem 3.9 precisely, but uses Lemma 41*2 and rule (M*) 
instead of Lemma 3.8 and rule (P). .. < : r . y-.y*-^? r.-. 

Lemma 4.14 (Convergence Lemma for CFDL): For e*ery term%f10 and CFDL-wffs R Mid Q, If 
N A ( R =X**{#9Q) then there exists an L^wff fi h,2#) ! such that 

► A (P(n+I,Z,Z') p.<r(P<iq z )>Z<), K^PtOiZ^ 1 ), and | A (Rp3n^P(n) Z >Q). 

Proof: Again, by the method used in the proof of Theorem 44, there exisa an L-wff 

P(n,Z,Z') representing C n (/«/w?) m the sense that lor evej^ we have 

m(P(n) Z Nn(« n (yw»t>ti * is easy tb see Out aH three A-vahdM« 
hold for P. I 

Theorem 4.15 (Diamond-completeness Theorem for CFDL): For every *«CF and L-wffs R and 
Q, if h A (R=>««>QJ then l- R (R=><a>Q). 

Proof: Precisely as Theorem 311, but using Lemma 414 and rale (If ) Instead of Lemma 
3.10 and rule (J'). I 

Here too we conclude that for CFDL-wffs, A -validity and provability hi R are 
equivalent concepts: 

Theorem 4.16 ( Arithmetical Soundness and Completeness for CFDL)* For every CTDL-wff P, 
> A P iff k R P, . 

Proof: One direction is Theorem 410, and the other follows from Theorems 31, 41, 
4.13 and 415. I 
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We remark that thettfl part of r?, In particular the derived rote (Iff), conveys 
the essential ideas appearth£%i the axiom i systems oftlSl ind tS&Wtytntng'ihe 
partial correctness of TtcMrstVe programs. Ifa have e sienm ai y itHtwn <hat the central 
idea in these '.ax iomatizattons ( ref teed to *n £213 a^^/^nj^^. |9f. ^f yariabtis" 
method) is in fact a rephrasing of Park's C513 induction pjfinctpte in .a" logical framework. 
Rule (N) for <C*(/)> i$ very similar to the rute in C633 for provmg the total correc t n e ss 
jnf deterministic recursive programs. 

The results in this section indicate that reasoning about "pure" recursion is 
analogous to that of reasoning about regular ones. Here we are using tihe Integers to 
count how "deep" we are in the recursion (using Pin) )»;WtNnMB for or we counted how 
"far" we are in the iteration. Other than having to devise the P* machinery, there was 
no real difficulty at this nomt in exteiwiing Ihe method* of Chapter 3 to recursive 
programs, in Chapter 7, thoigh, a reassessment of this claim wift become necessary. 

An interesting remark', which we do not elaborate upon Wor Justify farther here, is 
the fact that the proof method for formulae of the form R=tfjdQ which is incorporated into 
R bom down to Ttoycfi tl?3 imfcttffcr assertion itmhM and *lln«TWahd We|fct#it , s€*SJ 
subgoal induction method respeettvety, when fg f uhir p i ug i W R aw tramtated mto recursive 
ones via the two methods appearing in Lemma U. Thus the duafcty hoMing between these 
two methods shows up nicety as stemming from two dual way* of viewing «*. 



4.4 Mutual Reoursion. 

In this section we briefly indicate how to extend the axiowatUation of Section 
4.3 to the case where the programs can be mutually ttcursive. Specificalty, We consider 
the programming language MCF (giving rise to the logic MCrDL), which is the set of all 
simpfe closed terms, ke. T « UJ^T- 

We do not provide here a precise definition of m( pX-X (t:« ,~,t: n ) ) , 
but rather assume that the reader is famiHar whh the standafd definition of it (cf. C33 
or C263) as the i'th component of the Itast solution of tt>£ system of relational equations 



■■*ft *. * u -r * 
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• • • 

where the ordering on the binary relations is that of set inclusion. 

The axiom system MR for MCF"f)L 1* constructed tnatogoosly to R. Axiom (L) U 
rephrased for a general p -term as 

U') (P^X^X^,-.,^*}) =» ((PAR) ^^^^(^.-.^^(QaR)), 

where iwr(R)nrt»r(r 1 tuut n )=^. 

Denote by M|(it<*) the program 
MjX 1 ~X i . 1 X i+1 ~X n (r 1 (Xp-,X i _p«,X 1+1 ,- l X n )^^^,r n (X 1 ,« > X | _ 1 ,«,X i+1 ^,X n )). 

Mj(i,«) is the program fijXi-W-**^ in which Mfm^iMdm^ H» been 
replaced by the program «; wherever a "call" Is made to this procedure, in which case Cj 
is to be executed, a is executed instead. 

The rules for the recursive constructs are 

( NT) Z=Z 3 tt^C i,P z ) .-.^(i.P 2 ) .P^U.P 2 ) ,-> n (i,P Z ) »P<Z\Z) 



Z-*Z 3 Cs» i X 1 -.X n (t 1 (X 1 ^.,X n ),-.,r n (X iw X n ))3P(Z , ,Z) 
where Z=iwr(r^u~ur n ), 



TO 



<N') 

P(n + l,Z,Z») 3 ^(^(i^n) 2 )^.^!,?^^,*?!)^^ ' 

*HO t Z»Z , > 

where Z=wr(r 1 u.Jjr n ) and nlttKCjUJUV,,). 

It should) be tided thmt tfce premises of both these rub* mvetve programs of lets 
complexity than their concl usion s; Ac letter involve team J* ?L ^y«»# >theiweffpite« 
involve "at mow" term* l»f R ,. * 

One can now Aw» the foHowing, by a detailed argument analogous to that foftowed 
in S«ction>t 4.2 and U= <^ tt • -y- > 

rAtoron 4Jfc FoievaiyMi^Wi^lf P t .Jfc^ P »f ^|^|F. ; 4 

We remark that rule ( M*) essentially follows eur ideas, in CJ41 fjr |jfovlnfc the partial 
correctness of recursive programs. 



71 



PART II: Computation-Tree Based Logics. 



5. Computation Trees, 

Total Correctness and Weakest Preconditions. 

Up to this point we have been developing mathematical tools, namely the various 
dynamic logics, which enabled us to write down and prove certain formulae which made 
assertions about programs. In Section 2J2 we commented to the extent Jhat some 
conventional properties of programs which have intuitively phvusible meanings, happen to 
be expressible as simple formulae of dynamic logic 

In this chapter we show that an important property of % program, namely its so 
called "total correctness", does not have a straightforward intuitive meaning, and that 
its definition requires careful analysis of the notion of "executing" a program. In fact, 
the definition of the total correctness of a progr»ni depends upon the particular method of 
execution one has in mind. Consequently, it is not at all clear a priori whether this 
property of a program can be expressed in dynamic logic An upshot is .the fact that the 
closely related notion of the weakest precondition, (wp) of a program, although introduced 
by Dijkstra in C13J and used extensively in the literature, has not received a proper 
definition in E133 or in CHI The objective of this chapter is to clarify, and to precisely 
define, both of these concepts. 

In Section 5.1 we motivate and introduce the problem. Section 5.2 contains a 
refinement of the binary relation semantics for our programming language RQ, using 
computation trees, and giving rise to the two important concepts of diverging ***& 
fatting. In Section S.3 we introduce four plausible methods for executing 
nondeterministic programs, by describing four methods for traversing computation trees 
in search of a final state. The total correctness of a program is then defined as being 
dependent upon these methods. In Section 5.4 we use these ideas to define the 
corresponding weakest precondition which similarly depends on execution methods, and to 
analyze each of the four resulting wp's as to whether they satisfy the properties required 
of Dijkstra's wp in C141 We find that two of them do. then, Hi Section Si, we define 
the guarded commands language introduced in Q33, and carry out a formal analysis aimed at 
showing that Dijkstra really had in mind one particular notion of w/», which corresponds 
only to one of our four execution methods, namely depth -first, search without, backtracking. 
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5.1 Motivation. 

Let us look at two examples. 

(1) It is easy to see that any DL-wff P(«) Involving the program variable « has the 
property that P(0) is equivalent to P(jf) in every state, where $ is taken to be (x«-e) 

and 0' to be (*** u {y**\0b»T). T*tt> is simply becauK ^b^>^«^).. ^.However, we would 
like to be able to state that if p* is "executed" by the processor "choosing* one <* *« 
components of the u connective and executing it, then if tv**' ' happens to be 

chosen this "execution" wifl not terminate. 

(2) Similarly, P(*y) is always equivalent to P(V), where f is taken to be 
(x«-e) and y' to be (x*e;(x«-x)*)« Mere too m(^fc^iir% but we would lijie to 
be able to state that If (x«-x)* is executed by the reaaonable method of, repeatedly, 
at each step either terminating or executing x*-x as suggested by the diagram 

■■■■ 1 

then there is a possibility of never choosing to terminate and hence executing x«-x "for 
ever". . . ' : " ' ■ ,.,} 

We would tike to refer to the phenomenon illustrated by example (1) as z failure 
and to that illustrated by (21 as a diptrpnce. 

Intuitively, a failure indicates reaching a false test with no immediate 
alternative at hand. In example (1) above, in order to carry but the alternative x«-e when 
the false test is reached the assignment y«-e' must be "undone 1 "; thus the alternative 
entails some backtracking and is therefore not immediate; con sequentl y, there is a 
failure. However, the if P tken « Us* $ construct which is fPf^i u -»P?;p*> (see Section 
23.4) , should not contain a failure although one of the tests wffi be "false whenever the 
construct is reached ; here there is an immediate alternative at hand. " A divergence is 
what is more popularly cafled an "fefh feop*;. li. a cetn p u^atip j i that does not 
terminate, these two concepts will receive formal dersftttsons in t£e next section. 

What we are interested in defining, is a precise notion of the Mai correctness 
of a program a, with respect to assertions ft and Q, to mean intuitively that whenever R is 
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true, then "no matter how a is executed" (i.e. "no matter how choice* are made") it is 
the case that a wilt indeed terminate in a state satisfying Q, M might seem plausible at 
this point that we would want this definition to be sucb fhat flkaed y art, but 0* and 
•y' are not, totally correct with respect to true and f nw. In other words, it might 
seem that the possibility of either diverging or faiHpppshoeld render a program not 
totally correct. We will see in Section 5.3 that this k net the case, to fact, we will 
show that the four possibilities obtained by having the presence of a divergence / failure 
affect / not -affect the total correctnew of a pregriiR^ co r w po ntf smoothiy fo> $$ur 
different methods of etteeM^ef ^neititaief^ 

We now set up the technical machinery we need. 



8.2 Computation Trees, Diverging and Failing. 

In this section we introduce the notion of the t-computtttUm tret of a program «, 
denoted by ct(«,l). We present some properties of computation triet atid tn particular 
show that one might view computation trees a* an ahemiUve semantics ft* the -set'of 
regular programs RC, consistent with the binary relation semantics. The trees however, in 
addition to the input-output information, contatity^|Aitii*i w 
information regarding the presence or absence of divergences and failures. 

Each node of ct(a,J) will be labeled with a state in T or with the symbol F 
(denoting failure), and will be of outdegree at most 2. The root is labeled with J and 
nodes labeled with F will always be leaves. The intuition is that a path from the root 
represents a legal computation of% starting in state ! |; J AtfrNimgr}^ l k haf rep re se nts a 
termination state if it is labeled with a state in T, or a failure if it is labeled with 
F. Any node with descentrams represents an intend 
descendants then there is, so to speak, a choice atas ilrtho "continue execution". 

A node will be represented by a pair (t,l) , Where t Is a finite string over (0,1} 
describing the location of the node in the tree by denoting "go let*" and 1 "go right", . 
and I (the label of the node) is either a state in T or the symbol F. Thus, for 
example, the tree 




is represented a* {U r J),tO,|),(l^'),(10,F),(U,i")}. A* can be seen, A, the empty 
string, marks the root of the tree. By eonvemton, a itoif^ desceiidant i* marked as 
"going left", Le. by 0. 

In order to define ct{«,J) we first define a preHmtnary tree pct(a t 3) in which 
««ry false test will be indicated by a failure node. cf(ft,J) wiH Mien be obtained from 
^cr(a.J) by deleting those failure nodes tor wntjb thejp it an tmpmH atg non-fashtfC alternative. 

Formally, for any 1*1* and a*RC, we define, by induction on the structure of a, 
the preliminary computation tree /«/(«, J) to be a subset of {0^}* ^W u |f3)i«»- 
follows, where w# use 1 ta range over ( F u {fl), and s, t,^ to range over (M^ 

(1) p£*<x«-e»J) a ((MMOJej/xU!}, 

f {tt,J)> if JH> 

(2) pamj)-* 1 

[ «W-)} if JW>, 

(4) let E * .{(t^M^fC* ,1)1 *«T a (VW{04l)(^K(ru|WtC^»^^«rJ))l, 

and let C - pct(aJ)-L. then 

/Meftf.J) = C u {(ts,l)| (3|>t(tJ)€E a iitftpfftlMi&Xh 

(5) pct(a*J) - jKtUttwIu «;«*), Ih 

Note that clause (S) might give rise to an infinite tree. 

Now obtain cf( a, J) from pct(m,J) by deleting some of the failure nodes as follows: for 
any tf{0,l}* and #«I\ replace every pair \x\.pct{a,l) of the form (tO,F), (tl,#) by 
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(tl,|), and of the form (tl,F), (t0,|) by (t0,#. ThuMw ait Ignoring fab« ««* *"** 
occur as a component of the u operator, when the other component is not a false test. 

Examples: We describe by means of simple diagrams, some computation trees for various «. 
In each case, whenever they *re not identical, we give both the preliminary tree pct(m, 1) 
and the final tree cr(«,J). In all the examples J U some fixed state of the arithmetical 
universe N, for which x j=0, and hi the diagrams we let t denote the state Ci / x3J. 



pctt*,3) 



x=0? 
x=i? 



ctimj) 



® 
® 



x=0?;x«-x+l u x<27;x»-x+2 




x«0?;x«-x+l u x*0?;x«-x+2 U) 





x=0?u (x»0?ux=0?) 
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x<-x+l;(x=0? u (x<-x+l;x=l?)) fa 

1 





(x«-x+l)* 




(x<2?;x<-x+l)* { 





7? 



(x<2??*«-x+l)*;x=2? (0 





Thus, the computation dtect(«, *M i fjr^PW i Hi # l*if #WP # P Ml" fl 4H J 
and a»Ai/« ? <*> (see Section 2^4) do m>tC9*ain fa*H«* ejber than the Movant ones 
inside or <v. ■ ;'\..-?.^ ; v r ^v-; ? h ■*£.*«: ^> : -;v, ' •*! ! 

Lmwa 57. For every <«tRC, K(IViF J) and Jtr, ; 

(1) there is a unique node (^J k^frC^^^I*!; 1 ^!^^^' 

( 2) for every t* (0,1}* there is at most one node to <*(«,J) of the form ( t,I) , 

( 3) for every t«{0,l}* and t*{0,l}, if (*,!)«*(«, 1) , then (t,J)|*f(«,J) f« 

some|«r. 

Proof.- Omitted. ■ 

Thus, for every « and J, cr(« f J) is a nonempty, possibly infinite tree of finite 
outdegree with nodes labeled with elements of Jftta, f%p iff *%* ***** $fl ***? 
(tl,I) are called descendants of a node of the, |i ai^rf&de with no descendants 

is called a leaf. By Lemma 5.1(2,3) all nodes la©efe%iii¥arl leaves. 

We now show that computation trees subwme the binary relation semantics of Chapter 2, 

Theorem 5.2: For any e*RC, ( J,J)«m(«) iff cf(«,J) has a leaf labeled with $. 

Proof: By induction on the structure of a. ,|%*if by Sjitfk Si II! ?*fh "^ b Y 
s(a, J) the set {|| there is a leaf of ptf*,f) label* wkh ft '' 1N prove first that J* 
= s(«,J), and then the result follows by observing that the transition from pct{a,3) to 
et(aj) does riot delete any nodes whicn M )• ' "' 
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For an assignment, we have J(x*-e) s {Ce*/xXJ}*s(x***J). For a test, If #HP 
then J(P?) = rf = s(P?,J), and if J*P then J(P?) = (J) * »4FT,Jt.. 

Assume Jo = s(«,J) and J0 = s(0,J). Certainly thai by definition of 
pct(au0, J) we have s(*u0,J) = ( J* u J?) = J{*U0). f£ri«ip\ note that in fact 
E={(t,|)l^s(«,|)}. Consequently, one can see that s<a;p\J) = 

Similarly, one can show that s(«*,J) = U^sU^JJis U^Ker") s J(«*). I 

It is therefore the case that, with 3 ranging over jTJ, the leafs of cf(tt,J) which 
are labeled with states convey the input -output information contained in the binary 
relation m(«). Hate that m thw fiahw wo rk ?»<w>P rt«ertyth> eittttenw *m rt(«,J) of at 
least ©rteleir WbeMhwitfi* ittffe Whkh satttftes P. S*n!lar1y , >€«r!P asserts ffcal P ; 
holds in any state which labels a leaf in cr(o,J). Ho wev er , ct{m,3) contains much more 
information than is contained in m(o). in particular we bow define, for every program 
««RG, two Boolean constants lmp m wrt f*£<M*6hiii4rfiM «fllfMWM## meantrtg of 
being true in state J iff o can rf*wn*£rofj^ respectively. 

Formally, we define 

3¥loop M iff et(a,3) is infinite, ^ 

frfaU^ iff ct(a,3) has a node floated with F. 

Note that, ct(aj) being of finite eutdegree, we can apply Ipge una (see Oil) to 

conclude that in fact Jtloop a iff there exists an infiniJH path from die root; te. 
there is an infinite sequence of node 

i^t3)t.(b^3^{b^>^3^ t .mm. t [^ts^^l-^ irm . t 

Hence the term "divergence". 

An interesting problem is that of determining how hard it is to decide if a 
program diverges for "uninterpreted reasons". Formatty: 

Open Problem: What is the degree of undecidabihty of the set of valid formulae of the 
form P=>/«^ a , where P is an L-wff ? 
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We now prove some properties of loep a and fUtg which will be needed in 
Section S.4. However, the main logical treatment of these concepts will be given in 
Chapters 6 and 7. 

Lemma f-.fi For any <r,0*RG the following arevalids 

(1) tbop^.0 « Ueop a v <*>bop fi ), 

(3) fati a '=>faii tt p 

(4) C«]/«fc# a ifaa a Yloep 9 ). 

Proof: (I): Assuming JWoo^^j, consider an infinite path from the root in 
cr( or ;0, jf). It is easy to see that either that whole path appears iivtfU.J) , or a 
finite initial segment of it does, and the rest ( i*. an infinite path) appears in 
ctifij) for some $*U*h Conversely, an in/inite path in either cf(«, J) or in 
c*(p\|) for some|f( Jet), will »|w d,J). 

(2): Consider a failure in cf(a;0,J), and assume, that ^/ci/ a and 
$+-*fallQ for eVery J(( Ja). The F-node in rt(«;p\J) appeared t*f(a;t1,J) l and 
also in either pct(0,J) or in pct(fij) for some #€( J«). However, for it to have been 
deleted in the process of constructing crfo**) or c*<p\J),tt had *o have appeared (wig) 
in a subtree of the form tFj 



This subtree appears also in pct{*',0 t 3), and the F-node would have had to be deleted 
from it too. 

The proofs of (3) and (4) follow similar reasoning;, and are omitted. I 

Note that a counter example to the other direction of Lemma SJ(2) is obtained by 
taking a to be ( true? u x«-l) and to be x»l?. When x j«0, we have ( 3, J)«m(«) and 
Jtfailp but Jt-tfalt^p 
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5.3 Execution Methods and Total Gorv«etaera. 

In this section we define four algorithms for traversing the J -computation tree 
ct{a,3) of a program «*RC in search of a final state; to, a teat of cf(a,J) of the 
form (t,$) for some j«T. The algorithm* wilt output this sta* f,. Then we define the 
notion of total correctness of a program « with respect to input-output conditions R and 
Q as being dependent upon the methods. 

We use informal terms for describing our algorithms: 

Depth Search (D): Starting from the root of f(«,J) proceed down the tree by moving 
from father to son. Whenever a node with two sons is reached one of them is chosen 
nondeterministkatty and traversal continues on it The process terminates when a leaf is 
reached ; its label is taken as the result 

Note that if 3¥lo6p a holds then, iwing method fD), it might be the case that the 
particular sequence of choices made along the way win result in the traversal proceeding 
along an infinite path (divergence of «) and hence never terminating. Also, if 3¥fail n 
holds, then that sequence might result in the traversal arrivingat a failure leaf and 
thus producing F as the result 

Depth Searti tktk Backtracking tDTH As in (W] the difference being that if a leaf 
labeled F is reached the procedure backtracks to the mcut recent choice point and tries 
the alternative, (f that has already been tried it backtfackrto the next recent one 
and so on. If the tree is exhausted this way execution terminates with F as the 
result. 

Note that here too, 3tloop a implies that the traversal might continue for ever along a 
divergence. However* the existence of at least one non-F leaf (which can be asserted by 
J¥<a>true) guarantees that even if Jtyatt^ holds the traversal wiH not end with F as 
the result. 

Breadth Search (B): A nonnegative integer k is chosen nondetermtnistically. Starting 
from the root the procedure moves down the tree from father to soni Whenever a nbde 
with two sons is encountered track is kept of both alternatives by working in parallel. 
When any leaf is encountered its label is added to an initially empty set RES. When 
depth k of the tree is reached, or when the tree has been exhausted, RES is checked 
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for emptiness. If RES**f the traversal terniiaale* and an elen^of RES is <**»#* 
nondetermtnisMcaaiy ;,a* the routt Jt RES*** ^J^ W^i*^^ ^ h ** , i twl 
another integer k'>k is chosen ^ r^ode^f|%mj^ll»|? qd^mfP^-WM*"* ** 
above. Otherwise the procedure ternUo^ wJjfcXa^^^ 

( Remark: the reecbeni*m of Introducing a choice of aninlerr k Ji present in order to 
render each leaf -a po«ibk outcome of the algorithm. A *imple b^ea^-fim i*arcll 
would favour higher leave*.) 

Note that here if ^/^JioldiilheB the f syrahof f^f^ ^H^ th ? W tt * *» * 
consequence of a oartte«l*r choice of k and of tr* dement 4* *ES. #Qwe*er, Jf at least 
one leaf ( F or other) to present* then ejen If Jfcfrf^ hoM* the procedure U 
guaranteed to terminate eventually because RES will beuaiw wne mpty at some point. 

Breadth Search wUh Ignoring ( BC) i As in ( B) , the difference being that if an F-leef Is 
encountered the symbol F is not added to the set RES. 

Note that here, if at least one non-F leaf is present, neither can the truth of loop a 
in state J mu* in the pfocedwe net haWnK^ntt caw tM*ruth of /*£ In J result 
in the procedure producibgJP as its two*, 

We remark here that the four method^ ppseffid foam bJMp means a ©jn^lete Ju*t 
Qne can think of other methods, such as "left-first search", in which the left branch is 
always tried firs* We led, however, that Q»ltmm4m**toH!m* the reasonable 
"fair" methods in which no specific group of leave* ft j*WlMfe!ef ««'** o**£ others. 

We summarize the remarks that were made after each method was described as 
follows, where the entry for a certain method under df**r*WK* tresp./siJstr«) means 
that even under the assumption JK«>fru#, the fact that 4n:|se>^4 W- ££&*)* ***** • : 
can result in the procedure failing to produce a final state $*T as iU result: 

dumgenct faiiMre 



D 
DT 
B 
BC 





1 

1 o 

1 1 
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Wd now take a ctose look at the sought notion of total correctness. We would like 
to define* to be totafty correct with retpect to an tr^t towdttl o »' & and an output 
conditicm Q if , Vrituitlvety, sto^ 

undoubtly result in that execution terminatirtg^^^ that 

3 is a state such that JJ*R holds. For « to be totally correct with respect to R and Q 
there certainly mutt exist a non-F feat m <rf{ *,,?)■, thus we require that ?lKar>fru« 
holds. Furthermore, att such leafs are I & mutt of any one of the four 

procedures described above. Thus we require in addition that eWf^liati 'with which such 
a leaf is labeled should satisfy Q ; in other words we need JK«3Q to hold. It is now 
quite evident thai in order 'for a 'w3ri4rii&i \M^k^^f^^^- : i^llii9^^\i^-''' t '' 
guaranteed to termbvat* with * fmal state as thfr lunm, we have tOTequire that ct(*t,3) 
be free of divergences or fliiitfeV# and only -if' i 9'^m^ ft the corresponding column 
for that rnetho* in the a*»vt»ttrt)lii w 

We thus arrive at the following: 

Definition: Civen a universe U, a program «6*RG and formulae & and Q, we say that « is 

U-totally cmrtct wrt RandQ tff Ky (R ^ «n>^ w a C«JQ A ^w^ a A -/ai^) ) , 

DT -tofa«* cerr«r wrt R and Q iff K y (R => (<«X«w A C«lpiA ^w^ a U, 

^-totally correct wrt R and Q iff hy (R » ( <*5*»i* A E*l@ A "fi^a) * » 

BCwomttycortwf wrt Rami "Q iff fl^frq*4alRMntoll CwlQ )). 

In the next section we use thl* definition in order Co define the concept of the 
weakest precondition of * program with respect to an anmh» i , and to clarify Dtjkstra's 
[13] notion of w/>(«,P). 

5.4 Weakest PreoomHtienn. 

The notion of the weakest precondition of a program « with respect to a post 
condition Q was introduced by Dijkstra C13] whe*rote4i» EJ43): 



(*) "We shall use the notation wp(a,Q) to denote the weakest QreHtidition for 
the initial state of the system such that activation of a 9s guaranteed to lead 
to a property terminating activity leaving the system fet #ttftJ3Npie satisfying 
the post condition Q." 
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Here "weakest" is in the sense that a#(«,Q) if to be the largest set of states each of 
which has the property that "activation of *" start! thaf state *is guaranteed to 

lead to .~ etc". 

Other than (*), there is no formal definltton of »£(«fQ) «£"«■ in li p or in C141 
However, C14 J contains euettUally four properties that mflmffl matt satisfy: 

PL ¥ (wp(* false) * false) , 
P2. if HP=Q) then M«M«, p ) V«^«,Q>), 
P3. >(u»^(o,PaQ) » (•#*,?) A wfttr.W, 

P4. (continuity): for any arithmetical universe A, if h A (Vn)(P(n)=»P(n*D) 
then l* A (ar^ii,3nP(n»«an)U^^»mT, wnertnjf «*(«). 

Our plan is to precisely define the notion of wp(A,Q) is being d>Mdent upon the four 
execution methods Of Section S3, and then to ft****** *«*« '*& four ««**"* »^« 
satisfy P1-P4. We will show that those correspdia^^lnlitt'B 'all BTW Ho*eire¥,%i 
the next section we introduce Dijkstra's guarded commands (CC) programming language and 
show that, restricting «irselvesiop"rogranis frt^iiiu1$, : % ttrh/ttottoii of »p whfcn 
is consistent with the way in which CC U define* mtM&Htha* c or r espondin g to method 
D, i.e. depth search with no backtracking, thus, although there are four independent 
notions of the weakest precondition d? h^'^^U^tstiipk^) that 

Dijkstra had in mind in ttfS itf ; fi^prwujip* ie^^allis^d^^h^itiendant^ilft ' 
by de -BaltkWCl}, Plbtfcin <<diirill^ mj^ na* » 

also indicated that one has to outlaw Both infinite cornpiita#90*a^ , %ttnd alley ^ 
(failures) in order to capture Dijkstra's notion of wp. 

Definition: Given a universe U, a program «*RG and a formula Q, the weakest precondition 
of o with respect to Q ft defined for methods ©, OT^oV^S" fe^p ea foefr ■*» ** * *— *■■ 

w^ D ( «, 3 ) « ( «*Xrtt# A C«3Q A xlmpfdii&fap* 

a»/» DT («,J) s Ka>f*a* Aftft^ A -*feefc^t >>= 

'*pfelm,tY- s- (<«>m«AC«3Q ). 

Certainly, by definition, gi*eiv» ua*rem U, with * ranging over *>,DT, B and BG, a 
program a is X-toUUy correct w« Rt*<M} iff ^B^w^W^* 
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Note that all of our four w/s satisfy the informal description (*) in, which the word 
"activation" is now interpreted as "activation using execution method XV fn other words, 
we claim that 

it is indeed the case that using method X, wJfxJf!^ is *• wea ^ est 
precondition which guarantees that execution of « using method X will 
always terminate m a state satisfying Q. ■ . .. 

Let us see which of our ar^s satisfy Dljkstra's properties P1-P4.. 

Lemma 5.4: PI -P3 hold for w^q, w^j, w^| and mfcy*. .. 

Proof. PI: Since for any X<{D,DT .B.BC}, ( »fy( «,Q) *§<mHru* A C«3Q) ) , 
(««>4we A CoJQ) 3 <«>Q), and {<*>faiu */*/w> are all tad, PI can be seen 
to follow. We omH the straightforward proofs of P2 and P3. I 

Lemma 5.5; There exists an arithmetical universe A, a program «€RC and a formula P(n) t 
such that P4 does not hold for «#^j«r p : p#. 

Proof: Take A to be the universe of pure arithmetic H, and P{n) » be n*x. 
Qe^taiol^ f«t any «» we ha *« ^(«*x ? (n+l)*x), . to« to be Cx«-0;(x?-x+l)*). 
One can then check that, fcj^oXru* and fcat*#*V- bo&Ji*|iVmd>*bj£*J3n<nfcx). 
However N^3rC«]Knaic) does not. ,;JI ■„-:- 

Theorem 5.6: P4 holds for apr\ and a>^rjr- 

Pr^ Assume N A Vr>(P(n)3P(n*l)). Becwwe n/w»K«) t H# immediate that 
(3n(a»/» D (a,P(n))) « (<o>rru# A -•foa^ A -fcti^ a 3nCo3P(n))) Is A-vaWd. Also, it is 
trivial to show that for the tame reason, so is (3nUJPtn) a Cw33nP(n)). Assume now that 
JKaMnP(n) holds. We show that JKkrfadPf n3 dee* »•©. «:ly 3**4eop a hoWirtg, we know 
that ct(a,3) is finite. Coruider the set J« = ifi3*$h <im**m of JKatfSirPf h) 
holding, there is an integer f(#) associated wttheacjf |*(J«i» soch that for any n, &?in) 
whenever ng-i($). Since J« is fintte (by Lemma S£ together with the fact that cf(ft,|) 
is a finn% tnv) , . taking t=m*xj>^j a ) i(j ) and ubw y I n g that fot* any |*( fa) we ha*o ^ 
#»( P ( n ) =P( m) ) where m***, we conclude that JKwIPf *► whew wjefc 
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For top DT , it suffices to observe ^i«t. imiAar : *fi^ .cq^lg^f^ iif^j»««p^«>,^iwe-->fy* ***** 
(3n(w/? 1DT (a,P(n))) s «»>true a <oop a a 3nC«3P(n))) is A -valid. The proof then 
proceeds exactly as above. 1, 

Thus, we summarize as foHowss 

»Pd "tor w h "fa 



P1-P3 
P4 



1 1 .1 1 

1 1 



and conclude that the properties P1-P4 do not give rise to a unsgue notion of wp; there 
are at least two equally plausible definition* which ****** 

that C133 included only PI-P3, and ^ these are ''^UOM^tM jj^huf'mfa Hew* P4, 
which was added in CIO, can be seen to be equivalent t£ requiring that the program 4s 
divergence-free^ 'Wand Oil 'W essentially shown that nothing weaker than w^j 

satisfies PI -P4. 



5.5 The Guarded Commands Language (CMC). 

In this section we complete bur analysis *'lft notion ; ofc weakest precondition* by 
restricting ourselves, as did Dijkstra in C133, to a iuWingoa^^H* language RC of 
regular expressions over assignments and'fesuf Mli^ib in^s^la^leage' : 'oV gtimUd commands 
(CC). We show that only one of the four, notions of »p t namely w^ D , » consistent with 
the manner in which CC was alleged to have been defined in * fijjj4 ,^1 ^ satisfied P1-P4 
of C141 too, we conclude that Dijkstra had been presupposing that method D was to be used in 
executing the programs in CC 

We define CC as a subset of RC with the same semantics, as ToHowj: 

(1) An assignment x*-e is a program in CC 

(2) For any a,0*CC and fitst-brderjtests Wt and i?, 

(P?;auR?;0), and 
((PvR)?;(P?;ouR?;#))*;( : »Pa-.R)? are in CC 
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Throughout, we abbreviate the fast construct in (2) above, to f ff ;« * W?',0h 

One can see that in CC tens do not appear as programs in their «m right but 
only as guards preceding H reaf statements. Thus, in the alternative construct (P?a u 
R?;0) (written IF P-»« || R-* T\ in Q31), either ft or Is execute* depending on whether It 
is P or R which is true, ff both are, then one of « and $ it chosen nondeterministicaHy, 
and if neither is then the statement faitfc Thus this <tortstroct 4* t nwideter roiniit te 
generalization of if P then « «***# Similarly, the repetitive conerroet (P?T« * *?;£) 
( written DO P-*« H R-*0 OO in E133> generalizes »Ml« P do «. 

In C133 the language defined is seemingly somewhat less restrictive. For example, 

( Pj? jaj u *. u r* T^J* is iHbwea for any rt>0. However, P^ryie* til out* purposes, 

is equivalent to (P?|* ii1t$ml, ^P^t^^j^^^ll^^'^f^ u 
(P 2 ?;« 2 u P 3 ?;« 3 )). Also, Dijkstra's skip and oforr statement* cm be written as 
Uruel\\*-x u rr««?;x«-x) and (/<^w?jx«-x u/«te#f ;x£*3 rejpectivety; thus CC can be seen to 
be sufficient. ( Remark: abort was described in C143 as being a statement that always 
fails, and so is written differently from the statement (trmtf ;*+* * tm*!' t x*-xl which 
always diverges and which we caH diverge.) 

In C133 and C143 the semantics of CC was defined tuinj the ( informally described) 
notion, of wp(*,Q). . We : ^«||h/ase.:^iese, "djfinW©j|f" ^ that 

a candidate of ours for «$ should satisfy them for hi any state. As we 

shall see, only one of our four a#'s satisfies them f he «ruivaten«s are: 

Dl. wpiskifrQ) ?Q, 

Dl wp(al>ort,Q) s foist, 

D3. w£(x«-e,Q) * 0*r 

D4. w£<«;p , ,Q) 5 w£(*,wj(0,Q)), 

DS. a^((f?;«.u.jj?j#}£) M(PyR* .y> (?**$•$*) A (R=>w#(0,QU» 

D6. «M(P?;«*«?#>»Q> " V ^0<V» 

where Hg E (^P A iR **#* 

and « n+1 * (rig :-W a^(PT^»#^»<» B K 



•1 *?*'.<<**¥ $"» 
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Lemma 5.7; Dl, D2 and £3 hold for wfp, w/^ T , wfe find «$«£. 

Proof: Dl: For *A#, defined aboy^fs (fn<*?;w U f^i^^.e^lnly have 
►<jJU£>fru<, and similarly, for any J«T one can see that rt< jfc£,J[) M free of failures 
and is finite. Also, IskipTQ * ttruel ;x«-x!IQ ■ Cx«-x3Q ■ Q * * Q. Thus Dl follows. 

D2: <abort>true s {<falsel;x+x>true V <falur! \x+x>trH*) ■ (fiUs* A <x*-x>rn«) «/<ifr«, 
and thus since for any XHJWFiMGA wt hj^ af^Nl^) >*<«>^j ^^^ °^ 

D3: Since we have H <x*-e>mw A <»p x ^ A yetf^ , we conclude that 
for any ,X as above, w/> x (x**jQ) * £x**3Q *<)£., • 

7*A*or«m 5.8: Foraeach of wfcrjT* *#$ wd ^ a^,J^e|M»i ^p£fef#» * at 
D4 is not valid. 

Proo/: Take a to be (frue? ;x«-l U frti«?;x«-2} and Q to be trut. 

DT: Take to be (x=l?;x«-x u x=l?;x«-x). The left hand side of P4 for IhM caiejis 

( <o ;0>true a "bop~M a C« ;0 Jrriw). All three conjunct* certainly hold in 

any state J^N. IJUiS% the right hand Ode t» £<«>/** A «4mfi( A 

r.aK0>rrue a CaD-i/oofy a ImXfiltnu) , and.E«K0>tn« does-ns^rwld in any 

state J«N, since for any such J, we have ( 3JU/xJ3)Uti^*&®if*1t$¥<0>tTU*. 

B: Take to be (x*l?;x«-X * xal?;x**). '■■^MIII^^M^tifHa^t^'milr-^ *ee 
that * N wp%{ « ;0,Q) , but CaX0>rrtt# is not satisfied by any 4MB ^M «ince 
( J^Cl / x3 J)*m(a) holds, but CI / xJIJK 0><nt«. 

BC: Take to be any one of the above two. The rest of the reasoning it similar. I 

In order to show that D4 holds for wp^ we need the following? 

Lemma 5.9. For any 0,0(00, *(/«"« jfl ■ (/«*/,, V <«>/«*/g)). 

(Remark: this lemma should be contrasted with Lemma 53($;3) *nd the remark following 
'its proof.) 

Proof: Having lemma 5.3(2,3) at hand and r«^^alt^t"RC, air we^ have left to prove 
is H<et>failg ^M a .fit for *,0*CtS. Indeed, the orih) ^jF'iMte'ewte'ifittiife'i* 
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ct(0,$) for some |«( Ja) , such that that failure disappears in #f,et;0,J) , is in the case 
where cr(a,J) has a leaf (t,|), the ancestor of which has another descendant which is not 
a leaf, arid furthermore itift^) t% simply fty&% Mjjl^ r ltitiim see that there is 
no program j»«CC for w is A tfnfteton. % 

Theorem 5.10: Forany a,0eCC, D4 holds for wfo. 

Pra^* *E*pa*afnfg^^ 
-/a// a .^), and similarly wfo(a,»tW0 f Q)) s (<*>/n« A ^«*Ag| A "yfetf^ A CaK0>ffu« 
a la^loopa A Caj^y^llk^^ seen to follow 

immediately. Assume now that Jfcw^U^Q). Ih4«f Lemma SJ and Lemma S.9 for dealing 
with the clauses involving loop and /e*f, we have only to show that JK*K0>true holds. 
This follows from 3H«3»«&i>| ^ MWlWfimg&mmmSMH. af 

We now consider D5: 

Lemma 5.11: For each of a»Mf ■> *P$ and a»^g# there exists a program (P?;«i U R?;j8) 
in CC such that DS is not vanU 

Proof: Take P, R and Q lobe rr«*?, and O » be the fwagram iWf 

DT: Take (8 to he<ts*rt. 

Br T^#**bi*»fr#fe . , \ ...... ^ a . ,., 

BC: Take to be either of the above, 
hi each case the M*;b»>^ sW* o£»P6 is valid, but the right hand side is not even 
satisfiable. We jomit Qm details. , . t .. . ,i« : .... , t 

Lemma 5.12: For any «,0<GC, DS holds for w£q. 

Proof; Straightforward using Lemma 53(4) ami Lemma S.9. I ' 

We now consider D6: 

Theorem 5.13: For each of »p\yj f w/>g and a^gg, there exists a program (P?;« « R?;0) 
in CC such that D6 is not valid. 

Proof: Here too, there is a general structure to .fh&lbjgtf counter sample*. We present 
them for each case but omit the tedious, but strjj ^^o iaj a ij^djg^ttt involved in proving 



*«!=* 



89 

the claim. In each case, however, one can show thai in any slifyJtH such that x jsfl, the 
left hand side of D6 is true but the rjghj hand side U not In fact, the clause XP?;«| u u 
R?;0J<P?;ot u R?;g>*ru< ? .which showf |ip in H 2 of the right hand side, is tb« clause which 
is not true in J, and which falsifies Hj for any titi. Hq and H| can be checked 
manually to be false in X. 

Define Q to be rru*. Taking 7 to be the program «fc#ri for the DT case, diver p 
for the B case, and either of these for ctiU'IB case, we define otfr program CfT{* * HT;H) 
to be ((x=0?;x«-x+3) * (2*x?;x*x+l;((x=I?jx^^ u C*fH?i#))). ■ 

Theorem 3.14: For any ot,0«GC, D6 holds for t»/>p. 

Proo/. For simplicity, denote by* the progranf (P?;« U Rf^y and by ^ the program 
(P?;a * R?i/5). We note that for every J such that Jh^(*p,Q) holds, 3¥~4<kp^* w £ 
holds, and thus the tree cf(*ir,J) is finite. Note that under the lame assumption, each 
leaf of cr(*ir,J) is labeled with a state $ such that #(-# A -R), and also pQJ We now 
show that for every 3*T such that ^w^qCw.Q), we have JHl k , by induction on k, where 

k is the depth of the tree c/(*k, J). 

If k=0 then ct[*w,3) - {U,F)}, and JH--P A -R A Q), $0 that JMIq. 
Assume that 4 i» ■ «a*e such that k, me depth of «<(*«, Jl* **&*** *#" Q» a** 
a«sume *bat Jh*fo{*«r3h ...Ataimwlm- «« fam$iM*&W^p**k* depth of 
ct{ *wj) i**' and k'«ky if fritprgtmtfl mtoq&mmmte»?&to$i". Weahow that ilW^ 
by showing that JhCir^.j. This is sufficient beel^^ 
and its depth is not fl, It thirst W the case that $kftthft *i6; WHqV &*{<&-> nn&'l&lotp^ 

Take any $HU). Certainly the depth of cff*r^J Is lets than t: Also, one 
can show that from the fact that J**w£q(*#,Q) holds, we can deduce that 
J»=o»/> D (ir;*ir,Q) holds too, and then using Lemma S12, that ^«#p(*ir,Q) also holds. 
By the inductive hypothesis we obtain $*H k i for k'<k (here k' is the depth of 
cf(*ir,#) ). However, it is easy to establish that for any i, HH { =» M J+1 ), so 
that we also have l* s H k _ 1 . Hence 3H.vl\^. This completes one direction of the lemma. 

Conversely, Assume #H k for some k. Without loss of generality we can assume 
that 3V H R . for all k'<k. If k=0 then trivially ]¥{■*? A -rt A Q), and hence 
JNtf/> D (*ir,J). Assume that k>0, and that for any state $ such that min^^H^ is 
defined and is smaller than k, we have l^w/rQCHr.Q). Certainly by J>=H k and k>0 we 
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have 3¥ (■'P a -R A Q), so that 3H<*>tru< A ifstt^ A * 1 '«^ ir ."A 

CirlH^.). Since JK*>frue, we can denote by f a stale In Jr. We know that 

JMTriH. _, , and so, JNH.i. Therefore, by the inductive hypothesis we conclude 

that |taffp(^r,Q) t or that JHlNriVrw A ^« f j A^ji^A 

C*w3Q). Now, since |«( Jr) and |K*»>fn«, we have 3K**>true. Similarly we can 

establish Jft*r3Q from JK*3H fc ^ whkh impHes that ^K*r3Q holds for any #«( Jr). 

A tso, J^yoi/(* T j and J ^-/oo^^y follow for sknUar reasons. I 

Thus to summarize, we have the following table, where a 1 indicates validity for 
all programs in CO 



D1-D3 
D4-D6 



1 111 

1 



We remark that relaxing our restrictions on programs and considering general 
programs in RC, D4-D6 do not hold in general, even for w^jy. 

We regard our results in this section as providing rigorous support of the 
intuition Dijkstra displayed when tw desisted 0€ mCUJa* a nondetw 
language tultabte for .''totirt ^ OMe eta e ** '^^ no , 

a >rterr^son|or'p*efcfr^ that 

adopting tW* method in con junction, with the sublanguage ( results in Pi-Do holding, a 
fact whkh nicely gives rise to what Dijtstra calh a "cafcutas" for computing the weakest 
precondition of a program, ami hence for determining ^ 



SI 



8. The Mathematios of Diverging and Failing I. 

In this chapter we concentrate on some of the mathematical properties of the two 
concepts of diverging and failing introduced in Chapter! Most of the thapter, however, 
will be concerned with loop M . In particular we emphasize the problems of expressing this 
concept in DL and providing a suitable arithmetical a* of it. 

In Section 6.1 we consider the quest ton of obtaining syntactic equivalent, in DL, 
of loop a mdJaU a for the class of #itfim§*CC fn particular, M i *.li,%e show how a 
recent theorem of Winklmann 1713 serves as the central P*ryri * ? proof that such an 
equivalent exists for loop a . We then show, in 64.2, that an equivalent exists for 
fail a too. Thus, as far as expressive power is concerned, Voo^ and ^ai/^ add nothing. 
In Section .0 we introduce an extension^ DL^DL*, Ui there is a specialty 

designated primitive for toofo _.$ natural ancf conp^ s artt|rn«^a1 axiomatit^ion, P*, 
of DL + is given in Section 6.2.2. Section 6 J wf. *» exKfcitlng * h « remarkable 

similarity in form between the rules for -$■» in f^aitf 1**! *ftits observatlon^an be seefi to 
supply a framework to aid when constructing such a aueiBilMA«iil1ii } W^foilertH^^Th* " " *- 
framework also supplies a broad perspective for uwilerstandimf, say, the Invariant 
assertion method of f loytf HTJ and Jtoare F2*n u *-sjS*<Sal iasrof *rtttfmetical 
axiomatizations. Section 6.4 contains an application of these ideas in the form of an 
arithmetical^/ cemiplete afctoroit^^ 

operator of 4alWi«ski CSM. In this exeerrsron ( ADIi) the meehaBtsm h**©duce#for 
expressing toop^ is not quite « direct as lhat e# augmenting DL 8 tflth*fo«^ itsttf i as 
is essentially done a* DL + ) , but not as redirect as thetfof acting nothing but rather 
relying on the equivalent Dt-wff of Stc^p 644. ;- t r> 



"i-5'' 



6.1 Diverging and Failing in 

It might seem at first that a simple inductive characterization of loop a and 
fail a is possible, along the lines, say, of Lemma 53(#* f|iif«Ue**h©W*haJ l°°P a tf 
is equivalent to Uoop a v <*>l9opm). In other words, that being able to determine 
whether «;|B contains* divet^^ whither irwd 
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do, given in addition the tools of DL This task, however, is not quite as simple as it 
seems. In Sections 6JLJ. and &A2 we focus, respectively, on to»p m and/otfg. 

6.1.1 Expressing loop a in '&£•• 

Lemma 6.1: Tar every «,0*RC, assignment xt-e and test P?, the fpftowing are valid: 

U) loop K ^ s false, 

(2) loopy? * false, 

(3) loopjtf * (t»p u v l&f^ 
|4| loop^tf 8 ilt*P u v <*>U»pf) . 

Proof: U) is Lemma 5.3(1). The others foHow from the definition of cf( a, J). | 

In order to be able to talk about «* we aWow ourselves, in this chapter, the 
freedom of writing, say, #V«<«* tt >P instead of "for afl n f #<**>? holds". (Recall 
that o° is frtte? and « mi is «^t n .) We also write &%<*?*>? to read 
"there exist infinitely many n'» such that <&>¥ *#*"* I*W^>P, then, asserts 
that <a n >P rrokis of arbitrarily large n. 

Theorem 6.2: For every «t«RG, Hte^* J Uk£>flaaJ^ ;■-¥•■ ¥««*^>?ri«H. 

( Remark: In line with the above contention tta. trteoram md*; "In .-any "State J, 
JHoo/> a * holds iff either JKo*^*^ holds of for every n we have JKa^mt*.") 

Proof.- As remarked in Chapter S, -by Keam^s temma for any .#»: Jh&vfa holds iff 
there is an infifMfe path Hi et($,3). Nw assume Jfcfce^*. % the construction of 
/wr( «*, J ) as per ( ( tnw? u «;«r*),J) it is quite efideW that IT JM4w* boWs for 
every #*J(«*) (i.e. if MaPJ^hop^ holds), men an mfintte path $=( J.J^Jj, -) 
in pct{a*,3) must be an infinite fit-path, i.e» there must be a subsequence of sin which 
every two adjacent states are related via m(ai). Denote this sequence by s**f J »^l> -* 
where | =1 and for every n*0 we have (IftjIn^MaK*). Thus certainly 

( J,# n >*m(* B ), ami hen« ,»^«*>t«i* 

Conversely, we first note that it is easy to see that ^(^ajf^/cfo^ ? laop^t). 
Assume now that JbVn<« n >frt«. By the construction of pct{*P,l) this implies that 



fi^lt^St-l^r, 
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/*r(«V> (w»d hence also «(«%?)) has leave* *l *j^^. *b»ch by Koenig's lew** 
implies that cf(«*,J) is infinity f , 

Thus, a divergence in a* is due either to a emergence tit M itself after execution 
of some number of «'s (local diverging) , or to being able to run a 1 * repeatedly fof *v«r 
(global diverging). 

It is immediate then, that the only obstacle to obtalhlnf a straightforward 
translation of loop, into a DL-wff ^ is the fact tht*f nV^ls 1 not* BL-wff. 
However, we have the following recently established facts 

Theorem 6.3 ( Winklmann C713): For every «*RG Mfl^f P «**« exl5ts * DL - wff 9 

such that HQ « Ali<ir>P). 

The (constructive) proof involves a very subtle ,,ti|^n^ v b^ «^.<rwlui^of t^^ 

J<«*) for some fixed state IMlMm »« SL^^Sta 
,ome r#A«NHi« of a state (ie *ome *<*(«*! sudh thd^fitfft) ™*£ °*J* «"*• 
but repetttinn-free. Thus, by noting that Y«<a^*i^ii|?ii^ to 3 n<<><r*#, *e 
conclude from Lemma* 6J. and U, and Theoatm &$ 

Corollary 6.4: For RC, /oof a is expressible in DL; Le. for every ««RC there exists 
a Dt-wff P a such that Kf^ ..* A*#J? - 

It is easy to generalize the definition of ct{a,3) to cover the programming 
languages "array-RC" and "rich-test-RC" which are the sets of program* allowed in array-DL 
(Section 231) and rich-test-Dl (Section 232) respec$lvejy. Hfese trees are also of 
finite outdegree and for them too we can define J*^*. » betrue iff cf(a,J) Is 
infinite. We then have 

Theorem 6.5 (Meyer C433): For every **array-RC and L-wfTt« there exists an 

array-DLi^^|^ c *at HQ • 3°^a B >P). 

Theorem 6.6 ( Winklmann CT03): For every o*rich-tes*$C and*t-wff ? there exists a 
rlch-test-DL-wff Qsuch th*^ $ 3°%^^P). 

Corollary 6.7: For array-RC ( resp. rkh-test-RO , Jag* *a expressible in 

array-DL (resp. rich-test-DL). 
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One can define ct{a,J) for r»ndort-DL ( Section m) ,* dWmtiion which results in trees 
of infinite outdegree, and then define jHoef^ to hoW iff «*C#$f *ia# an infinite #atb; 
Parikh C503 has been ahle -in shew that far randoro-RC, |st# fc to ** expressible in 
random -DL. 

Recently Pratt ES43 has shown how a plausible definition of t»p for POL, when the 
atomic program* in AP (see Chaejif || are as»J«ned binar); relations by ^hf semantics and 
not some sort of computation trees, ghees rise to the rmrtng that faofi m 

is not expressible m PDL 



8.1.2 Expressing /otf^ in DL. 

We now turn to/atf^. Here too DL is powerful enough to express /«tf ft for any 
a«RC. In this case, however, we will need to carry out a very careful analysis of the 
cases in which a failure node in pcttmfi is hot deleted when instructing cffat.J). The 
complication arises in the case of ct> (U. wfct*l»fcift,?) h» a f iHurt but 

ct[a,J) does not). We wtH te* later that for the t^tatde* to n uwands language OC < Section 
5.S) this complication vanishes, and in this ease the u d miu*M*\ *f the Pt^wff R a 
such that . H^VMJg) holds is quite itrsightforward. 

Consider now the general set of regular programs RG, ' Wrflrt^define inductively 
the construct onenode a such that fron*no<U a holds iff ef(«, J) is a singleton: 

«Mn*tff x 'false, 

onenodtpj s true, 

onenbde^^m * false, 

onenode^.g * {onenode^A (enenoteaV f*ti m ), 

onenode^ ' false. 



Now abbreviate (fi& m a -menode^) to 4/&tf a t meaning a «*<«* failure of a), and 
(y*tf a A wenwfcf tt ) to if ail ^ {immediate fi\km). 

Lemma 6.8: For every <*,0*RC, assignment xW ind test F? f the following are valid: 

(1) /«tf x ^ *)%***, 

(2) /«ttf p? * *, 
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(3> JtU^jfi ■ l(fltf$*j*ty**'4tilk M^fl)* 
(5) failtf * iJfrquty 



Proof: We omit the straightforward but rather tedious proofs. 
We would like to construct a DL^-wff otter ■ a such that 



/ai/ a;|8 « (/«tf a V «*><*>ff0 V rtfcr^)' 



.»:,,iS : .JJj<;; v-5. 



will be valid. In other words, we would like other u a to capture the cases which 

f<Ul a and <a>failg do not; i.e. the cases in which there is a faihs^e node in cf(a;0,J) 

which does not jppear in cr(«, J) , .aMJ^ij^^ ** ^ 

being the one-node failure tree in some state |<J« (Le. frlfaUa). 

There are precisely three cases in which this situatHMV might occurs 



(1) cf(«,J) * {<X»J» aneV^M* *#*^» 

( 2) in frU^) there is a node jsbcl e d £f»hjifc t*%e&Jron* descendant, 
a leaf labeled 4**»fhithat d($J) « ft*/)). 

|3) in fr:f(qi,J) there is a nocM U bt led i whkh has two descendants 
of which at kasi one is la hrtel wi t h s omr JUVa nd such that 
cttfij) « {(*/)}; le. in cf(«,Jl there 4MP«/*fi 






( Note that in the first two of these diagrams the F-nbde does not ; 
appear in cf(«,J) , so that in afl cases the failure of the form 



<£© 



which occurs wl*wi ; is' ; ebmj»oiil £lnYtV, caftm* be detected 
by either /oi/ or <«>/ai/^.)) 



■■■» 



96 



For any a,0«RG, we now supply g» Inductive abstraction of the ttwee constructs 31 a £, 
32 a ^ and 33 a *, corresponding respect^ to «»e*<tM 3) *b*v*. (The following 
theorem can then be seen to follow from this 



T heorem 6.9: For eiery a,0«RC 

Turning to the construction, we note that 3i ft j to simply {mtnodt^ A -f*tt u A Ifailp). 
We define 32 a j and 33 ft « by Induction on « as follows: 



32 



«* 



*m*&mm*m~**ii~.<n i : KmUm< '*'+ '• 



31 



M 



x*-e 



P? 



a'uo 



<x 



+*>ift&0 



false 



^ ^ ^■aw ^ iiii.ii^ii M i ^r ^i ■■ ; t j iii 1 t ' »»ii^. < . | 



,^i^i*i..44i : i rt# »^i i firf i ^# #1 ' 



falst 



fatst 



u ■. t| i »<i. i j iii ] ii n i < i . iiii % ii 



r » « i i . ii > 



IJ V# <V ^^ 



i (iiifiiij-iin) !■!■■ 



(t m*t4t m * A#umtie a » a i/otf^ A 

fyWy**ifmi a *m 



«';«•* 



3 V,u-*> * ^>^i 



^(•Sni^^^V^ 



«?* 



<**m 



jj j <**Htfad£A ifatlp) v <a , *>33 - . ^ 



Note now that the right hand side of th« «aoi vatence In Theorem 6.9 is defined 
using DL-wffs and appearances of fKtt m whAfaUm only. Consequently, Lemma 6J and 
Theorem 6.9 finpfy*. 

Corollary 6.10: For RG r ^ttf # is expressibfe in DL; fce. for every e*«f& there exists a 

DL-wff fcy Jul!* that MM* "/■"„). 

We remark that for the guarded command* tangtofge I5C, we have J B -^f«i/ || for 
every «*GC. Consevently^ |t to aaiy to see that for any st^CC we haw 
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so that we obtain Lemma 5.9 again, this time as a corollary of Theorem 6.9. 

0.2 DL Augmented with loop m (DL*). 

In this section we introduce an extension of DL, DL*, which consists essentially 
of adding the loop a construct as a primitive to RL. , Th^. v,|rtue| of this augmentation 
are in the ability tO reason about divergences directly without having to go through the 
translation of ioop a into its equivalent PL-Wff IT^n^t^-^ C # oM * ,f ? ^«' We 
remark that the DL-wff Q of Theorem 6J, and hence P of Corollary 6.4 have the 
unpleasant property of being strongly;de«ejide^ the variaMea 

appearing in «, so that P . cannot be obtained from P^ by sifcftltutlng «' for « 
throughout. Consequently, proving a formula with an appearance of ft»/> a will Inevitably 
involve carrying out the transformation rtloop a &f m , and thej*f«^tog to DL The 
point is that the intuition one might have about U#p u is, in a strong sense, lost in the 
process. On the other hand, the arithmetically complete axiomarttation of DL* presented 
in Section 6.2,2 is natural and intuitively appealing. 

9.2.1 Definitions. 

The sets of symbols of DL*, the sets of terms and atomic formOTae and the set RC 
of regular programs, are aM as in Dt (Section UK Thl' s^ of ^)t*-wftfl% detrntd as foWowsi 

(1) Any atomic formula ; ii ;a DL*-wff, 

( 2) For any DL*-wffs P and Q, « to RG and Variable x , 

"? t (PvQ), 3xP, <o>P and <«> + P an? DL-wffs, 

Abbreviations are adopted as in DL, and to addition we abbreviate *<*>**P to CM*?, 
reading "diamond-phis-iBr P" and "box -phis-* P" respectively. 

For the definition of the semantiaofi^we adopt th| conospt of state and 
universe from Section 2.1 , but how we think of the semamia as assigning to every program 
a the set of computation trees {cr(a,J)| J«r|} (see Section Si). However, by 
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virtue of Theorem 5.2 we can continue to refer to m(*^ defined now as {( J,|)| $ labels a 
leaf of ct{ a, J) J, while remaining consistent with m( a) of Chapter 2. 

The definition of the set of states satisfying a DL*-wff P is, for atomic formulae 
and for the clauses -«P, (PvQ), 3xP and <«>P, taken from Section 2.1. For <«>*P we define 

JKa> + P iff either JK«>P holds of <*(«,J) is infinite. 
In other words, j*<er>*P holds iff $H<m>V V &»^) ddes. One can then verify that 

JhtctTP iff both JKatfP holds and at* t 3) I* finite. 

From these we obtain our Dt* vmioiw of /«^ a md -Vte^s 

&Fh»t u iff *►<«*>**», 

3*~4»p a iff M**?trm. 

With this defmitfcm one ^ 

are equivalent in expressive power, thus falsifying our conjecture in C253. 

We refer the reader to Appendix D in which we exhibit a program with a somewhat 
nontrivial behavior, the interesting properties of which can be expressed succinctly in JM^Y 

Before proceeding with the ax4om«ization of DL + we would like to exhibit an 
alternative, but equivalent, definition of die semantics of Dt*, which Justifies the 
* -notation in a rather interesting Way, in vtew of die addition, as m til and CS63, of an 
"undefined state" to the grand universe %.,Wf> : ^m^ i p^-^:X0rp»xih "fit the one 
taken in our original definition of DL+ in C2S1 

Define by V* the set Tutl) where X (read "bottom"), the dlvtr genet state, is a 
"state" in whkh, by definition, mr% DL-wff is false; ,t** f |Pj lWl*J . Not* then, 
that lV P and i.V ->? both hold, so that J>P and l¥ *P are not the same. 

Now let m + («) = (m(«) u {U, l)| JtioopJ), and (solely for the sake of 
this definition) let Jm$ stand for U,£)tm*{«), If we now wt$e 
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3H*>? iff IIUalA^P) 

then ColP defined as -<<9>^? should read 

JKalP iff V|6«i = |^P) 

rather than with $¥? on the right. On the other hand one can see that V|( Ja$ => #>*P) 
asserts that JK«3P and that furthermore { J,X)fm+(ifi (otherwise We would have had 
Joi and ±¥$i At«iibVf(t«f*frn^ 

JK«] + P iff V${3*$ *$*?), 

JKaDP iff V^JolalK-P), 

JK«>P iff .aJjIJitfA JW, 

JK«> + P iff 3|(J«*A ""^ 



However, in the sequel we abolish the artificial state 1 and treat <«>*P as the 
abbreviation of («#>P V ti»fi£t wMch ! w^*alld «l»v« 

6.2.2 Axiomatization of DL** 

Let us first gather spmeiff the properties of <«>* and^rj*.*. most of which have 
been proved previously for /<»£ a ! 

Lemma 6.U. For every- «,/NflG, assignment x**,^^^ and R, the 

following are valid 

U) C«3 + P * (C*1P aWW), ' 

(2) <«> + P * «a>Pv <«>>/«), 

(3) tx«-dW, 
■(4) lQT} + trtu, 

(s) i«;p*3 + p * fcwrp, 

(6) <«;0> + P * <a> + «T>*P, 

(7) caujsrp « (t«rpAwrp), 

(8) <«U0> + P « «a> + Pv<0> + P), 

(9) Ca3 + (PAR) * (Co3 + PaC«»), 

(10) <a> + ( PvR) e ««>+Pv <«>*). 



I 
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Proof: We prove (S). lm#T? is, by d^ftrdtfeh, <t«;*3P A t*#3*rru») or 
(CaXjWP a Co ^frue). However, since by Lemma S^iJ «* fc*ve UifiTtnu • 
<£«TW a C«X*JW), ^^^t^Um^^W^f^MUm^k 
tertrue)) * (C«rrme A £«X*J*P) ■ £*l$jn*t. s % on* *eo^tf other, parts. 

Note how ibe choke of <«>*P to abbreviate the disjunction of <f }P and fo©^, 
is paying off In «**,tk*, as m «* fe^tf^l^;^ * %» . t^^^fy^ of 
a4tow4«*,»; n ;to i^|it4imk9,|«tel»^|^ *4$i*ts rise to 
an ex tremdy concise character it ation of too*^*! 

r*«erem 6./2: For every «*tG, . 

(1) M <**>>&# ■ Vttfef^fl^, 

(2) Ht*"Tfn« « 3nfa*3>te). 

/>r«/. By Tlwoiem 63 <e^>fo« *oj|iiiv^^ 
which can be seen to be equivalent to (3«<*V/Wl« V V«<if*>*fiit) ** 
(Sn/oo^n v VnXa^ftw)* ' - * 

Proof: Assuhfc^lhiai^ Ut n^ iW^ Jl^^fil. Stofery <**", 
for every n<ng we have IN******, for otherwise frhep^n would have 
to hoU tor mnetodid Abe>for aa^ #^1^1* ^wwi*^^". W* 
thus the claim is proved. 



With this claim established it is easy to see that Onfatft^n 'V *wK.tPKnt$ is equivalent to 
Vn(/oeA_h v <« n >rrt«) or ViK«Vfru«. (2) follows from tl) by definition of XaPT.M 



Now let A be any arithmetical universe, and consider the axiom jyStem ft for DL*, 
defined as P of Section 33 augmented wRh the follow*©* axioms and nates: 

Axioms: 

(O) C«3 + P ■' (C*1P AC«r3 + <iw), 

(P) Cx«-Errr««, 

(Q) ZQII+true, 

(R) C«;03 + frtt« ■ EartffrW, 

(S) tauflJVru* s (Cat] + friwAqi3*rriM), 
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Inference rides: 

(T) P(n+l)3C«l + P(n) , -P(0) 



for an L-wff P with free n, 



P( n) 3C«*3 + *ru« Jirf var(a) , 

(U) P=Ka> + P 



P3<«*> + /0/« 



Provability in P + is as defined in Section 3J2*t liwns too we first establish the soundness 
of P* by showing the soundness of n»|es (T) and, (U|s, 

Lemma 6.13; For any L-wff P(n) and ot«RG, where n/ucr(o), 

if N A (P(n+l) 3Ca]*P(n)) and> A -.P(0), then lf A (r*(n) . => l«*l*true). 

Proof: Assume the two hypotheses, and also assume that JWJri) holds. Without causing: 
confusion we can denote nj by n. We have to show that cr(«*,J) is finite. It is easy to 
see that a chain J Q , J A , J 2 , ' - such that Jq*3 and Vii'JfiS^} to impossible, 
for by the first hypothesis it would imply J n *P(0), contradicting the second. Similarly, 
by the first assumption, &r any |«K*** we know th* «(*,$) is Finite, and hence by 
Theorem 6J2 there is no way for «* to diverge. 1 

Lemma 6.14: For any universe U, DL + -wff P and ««RC, if Ku(P3<«> + P) 

then^PaKer^/tffJeK 

Proof Assume Ny(P:><«> + P), and JNP. If }¥<tP>loop a holds, then by Theorem h2 
so does 3t*loop a x, or 3¥<a*>*false. Assume then, that JWer^Ww^. We show 

that Vn<o n >rrtw. Indeed, by J u (P3<or> + P) and fr? we can show, by induction on n, 

that for all n we have JNa^frue. ' 

As in P, we remark that rule (U) can be replaced by the (valid) induction axiom scheme 
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which is derivable from P + , and from which (wing parts of P) rule (U) can be derived. 

Thus, from Theorem 3% and Lemmas 611, 613 and 614 we obtain: 

rAwr^m 6/5 (A -soundness of P*): For any EH»*-wff F, If K>* F IhwKP. 

,./... ... • SI- . 1 ' ' 3/ ■ ** 

Here too we would Hke to apply the Theorem of Completeness (Theorem 3.1) to 

obtain ^m^tmd^m0i)mm'Mmm^p i k L emmn^m^i^m mc^***** 

version of that theorem, m whfeh mM& Wb&lfr WHl^illirf # l?*m»bt»*1fc the 
precise statement of such a theorem, but note mart** proof of * is a trivial rephrasing 
of the proof Of Theorem , M; fatfrtfeftaWMi «}J mmtj^Mm'Mm^ ^<»> 
and <«>♦, r«ufts in FJ^bemf* ltW?4tf?yHftr^^ lttfeUft*£ Thus, 

here too> hav^^lread* established Theorems 3? and 3ii tor <•> and C«3, we need bask 

Theorem 6.16: t% #%fpr*sisv«lSp^*. r ' 1 '""'"<•** " ,u "''•'"' " ' l *** '" 1 '"" 

Prov^ v Trtv4a»oss^Coi oftnry> tJ^and t f lh i il ii w^ &. *V - I 
IN now have: 
f,«miwt6/fr The following are der ived j ttl l Mt fr**; i ^^ 

<•*> un ■ p=>q . t, • •■-^-,-.v • -■- 



(D R33nP(n) , P(n+1) => E«fl*P<n) , ^^1 



for an L-wff P with free n, 



(IT) R=P , P3<«>*P 



Ra<«*>7a/M 
/>roo/. Trivial. 
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We will now combine the two phases (treated separately for PL in Section 3.2) of 

(a) showing how to A -validate the premises of (T) and (JLT) when their conclusions are 

A -valid, and (b) showing box*- and diamond*<ompleteness: 

Theorem 6.18 (Box* -completeness Theorem): For every ««RC amj L-wffs R and Q, 

ifN A (Ra[«rQ) then r-p+(R3t«3*Q). 

Proof: Since ^(R^CalQ), prove R=4«3Q in pb^thjorein 33^. then prove 
R=>tal*true in P* as follows, and use axiom (O) to combine the results. The existence of 
a proof r irv-P*, of R^etDVu* is esuWished by induction on the structure pf «*. w "& 
the only non-trivial case being a*. For this, case, if * ^airffttmt) holds, then 
apply the derived rale ( T') with H nl taken simply as. an attthCMIfctt equivalent of 
la n Tfd!se. By Theorer*6d2 we have HW^fnw • 3»P(iiHi and soothe premises of 
(T) can be seen to hold. # 

Theorem 6.19 ( Diaraond*'Completeness Theorem): For e^erjs <*«RJ* and L-wffs R and Q, 

ifN A (»a<*>*Q) then >p4R^»<«>*Q). 

Proof: As in the previouHheorem. Here for %*<m*> f f*lif tfcfderived rate (IT) 4s 
applied, taking P to be an artthroeteal eo^valem of <^>V«^ .*"**' CN*<a»*now 
thatHtee/> a **(<«>^ tt *v/^^ 
the premise P3<et>*P; (In fac^fne^lmplia^onf^^ 
an equivalence.) :« *« 

As we remarked at the end of Section 31 for the Ibx completeness Theorem, here 
too we can satisfy the premises of ( If) by a "strongest <>*-coroequent" giving rise to an 
alternative proof of Theorem 6.19; take P to be an arithmetical equivalent of (<(«~)*>R 
a <a*>*false). Trlvia% if> A (R^<o*> + yWw^tliewi« A (Rts#), and we leave to the reader 
to show the more subtle fact that r* A (f *<*&Y1&&&Wt^mtott next section we 
concentrate on the rules for a* in P and P*, and on the way in which we were able to 
A -validate their premises in order to obtain the basic completeness results. 

We conclude: 

Theorem 6.20 (Arithmetical Soundness and Completeness for DL*): for any DL + -wff P, 

N A P iff hp+P. 



%%g*(«f ■<- 
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Proof: One direction is Theorem 6.15, and th« other foljow» from Theorems 3.1, 6.16, 
6.18 and 619, and the derived rute <fT) in lemma lit. ■ 

Appendix P contains an example of an interestingly behaving program and a proof in P* of 
some of its properties e> >LV • ' ' . 



6.3 A Pn-ttern of RemsKmina;. " " v ' v 

We now exhibit a rattier iifc{pttfira)B^^ •**** whteh the rates for 

«*inP and P^ l^e heen 4#l<«iopi^ 

completenesiof th«#r Qistan Ifg KM sw ab* tliawatn iW<»neep* *n*^^ ' 

<a*>Q, Ga^l*fi^-«*<ip%*/ili#i%* o f »hHi«i« o f a p l w a w a tJnd tw o of eaiitantial ; , 
nature. For each, a "desaending" induction rute tevorvN^c F(n> can oe?constmct«d directly 
from knowing eg. that £«*1Q is Y^U^JQ and that Ca^Trrw is 3§UP?fiUu. 
Furrfxrmote, theafc tttlafriinfolilll^ '• 

complete because it is sli aigi l t »f %aid -»p^n#a lipfr nfrfcM -Validates the premises of 
each when it* conclusion is A-vattd (i*. H») is the a pp w p r ia tr "weakest antecedent"). 

For t*ie^'*eVtit%a^liii^^ '• 

the desttih^iiifir«nei' These ar e stitta sie m in thi aha WHW Sl Wi, . *to<*mt tbeP4n) Js* ■ v 
"strongest consentient P» chelates *»W t i ^ Mc ivei^ they caff -be ctffltf^^ into 
one rute f ree Of ocaw iiw ii cei ;of n; i^ Twt m»f a w di>» <n^h<Matifnh ta^yefaBS. The 
premises of this rate are ** -validated by (w*at ao»a»*s4e) sec* the weakert aitteosckm and 
the strongest consequent Finally, since the insulting rah* are the derived rates (V), 
( J') , i T ) and 4m , *m abanrae that from thetrrihe^haW, <^ f <T) and^U) can be 
obtained. • », < ' . ■■•> . , 

In the. sequel, for brevity, we me P to denote P(ni, F *a denote, P|»H) and P to 
denote P(0).. .We present these obseritatiojtt by J«d0i^oaa8 
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The concepts involved are 



Ca*lQ 



la*Ytrue 



<«*>Q 



■I y u. 1 1 



<«*>V«'"- 



The conqise arithmetical characterizations of these concepts an 



VnCa n 3Q 


3n<« n >Q 


3nia n r/atst 


>fn<eP>*tru*. 



An ascending inductive rule- of infewiK* can now i^ wiMtrticted ©y Mtroductng P, 
having R imply QnP where the quantifier Q is determined by the arithmetical 
characterization, and having P® imply the rightmost iubformuia in ^hat characterization: 



RaVnP , F=»C«3P , P°*Q 


HaftiF --r~P»-sK«>P • •# P-aQ 


R3VnC«"3Q 


RaSn^Xj 


R=»3nP , P'=»C«] + P , ?°=>falst 


RaVnP , r^i»*P , P^=»rm« 


R=3nt« n r/a/w 


RaVn^^irrtt* 



The premises of these rules are A -validated (when the consequents are A -valid) by taking P to 
be A -equivalent to 



Ca n 3Q 


<**>Q 


Za n l*fals« 


<«r*>*rriM. 



We could have stopped here; the above rules are sound and "complete", and will enable a 
completeness theorem to go through. We twtfnuJTKowever, 1i «Sfn^nedTlbbVe*" ■*" 
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Since we have the duality principle (see CS23) H(R=W3) * (<j8 r >R =» Q)), natural 
"ascending" rules* which are constructed dually to thefdescending ones are 



R=>P° , F=CaJF , 3nP=>Q 


no r*/# 


RaVnCi^lQ 


. . • • &a$ , *»fti>ip. r 3nP ^ trut - 


nft> r«/« 


*»Vn<or n > + fr«* 



Recalling m(«~HU4>l Wk*»« 



The 



w— — III iliHV 1 1'" **.— 



■ H l| « l> II1 J MI M WI H ■ 






m i t n 1 1 ii ' M i 



i .lilllli|ll | |li »> . m i »l 



aom to be A -validated by 

» M lll.lliilil KKH I I I 



*»nt/t 



1 1 ii mil ii ».— ——»»*» 



<(*^ B >R ^ W> + /W». 



ascending and descending rules can be collapsed (by virtue of eg. the fact that 
( VnCa n 3P => C«3VnC« n 3f ) , or <frr*JP » C«X«r*3P)), giving the unified rules 



RaP r : , Ps*«3P , PaQ 


narub 


R^TVJQ 


R=>P « P3<«>*P , P3/IW 


. worult 


Ra<«*>7W« 



The premises of fhese rules #ft A -validated by both 



C«4q and „fC*7)*>R 


n$ruU 


n« rjt/e 


^*f&* and i(*~)*>R. A <«*>*>Si(j«. 



Now the "arms and legs" of these rules can be pruned, noting ejg^ that from having proved 
R=>3nP, P°aQ and VntP:**^? ), we can deduce R=K«*X? using validities of first order 
logic (included as axioms in (A)). Thus we obtam the final rates 
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Pat«3P 



P=»C«*3P 



P'=>E«]*P , -P° 
?^la*1*true 



PXa>P 

Pp<«*>P° 



W*(**JI 'P'lH, 



**- 



pa*ar%^*lJ§ s * 



The name given to the constructs used to A -valid ate the premise* <*•«. the fc-wff Pth) which 
one needs to "invent" in order to be able to carry put a proof) l$» ' 

^ m ^ m it^mmmt^tlii^ltmmmitim^<>' ' ' < < > '' ' ' ' ' ' ' ' " > n | " I'll 



invariant 



n 



CftUHfgm* 



dkftrftnt (We suggest). 



We would appreciate Miggwtions on juittble names for the TT. 

We would like the reader to consider the virtue! of conducting this reasoning for 
the language of regular expressions over assignments and tests. Consider how much more 
obscure the observations of this section would bay* been &«* pJffr* reasonabonfc 4*y„ 
the while statement, instead of about «*. In our opinion «* captures the raw essence of 
iterating in programming languages, just as«u# captures the essence of btancMnf *nd «{# 
the essence of sequencing. For the programming language designer who is interested in a 
deterministic language or in a more "disciplined" nondefiprminisUc one, we caa recommend 
means of restricting the generality of these constructs .Ufrt and wkil* r or 

simply Dijkstra's C143 guarded commands lang* (fc'lSteipn^)). Note how the 
invariant assertion method of Floyd C1TJ, as described by HoareVwAtf* fuJe £$3 
Section 3.3) , has been shown to fall out of this general pattern of arithmeticaliy 
complete rules as a special case. 



6.4 DL with an Iteration Quftnttfier < ADD. 

In this section we consider a different extension of DL, in which, instead of 
loop , a primitive expressing Vn<« n >P is added. Note then, that it is immediate that by 
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Lemma 6.1 and Theorem 6.2, Ump can; be expressed, and- there is no need to construct 
Winklmann's Qai Theorem 6^''lRr 

of A0L, strewing the fact that t he * w H e* wewr uuwn a ujiil twin ■ ■ illy ■ gukfaH hy the 
observations off Section^ 3 conomrinr rtriei for a^.. 



Formally, A PL ir d e f i ned dmMBily te^+ m- Sart i pn Ci fl 1 ; fee, termtj atomic 
formulae, state*, universes eMsarortaewma. Theietdf A{&-wtt» I* (Jefihed a* 

(1) Any atoo»ttftBiwu*a1»an ADt-wfT, 

(2) For hnf A*)b" w fTV F a n d < & a>m iB a a d^artablc y, 

For defining the temamtet-aH we neaU ii >he renewing Em anyetate J*r t APL~wff P 
and? erfUS, define JK A*)r toihe4d iff JN*P>* holds for every n*Q. tiring our convention 
then, we have .„ ,. .J «.,.,., .....j 

The construct f^}T'te.thcf»*a]^ 

their work on atgprukmic logic (see eg. /E^flja* a survey ef tlito warn}; Certalniy we 

have, MWuwnO j Thtoiewp fegp •'--■■=■ ^^-^ *'* •■''.•■•. '■■-:•■ - r '^ -■■'■.- :- ■* W-. ■-■ 

Lemaa* « Jf?" Hur every***l»* fhei# ewm an- Aflfc^WfTf^ sueh that I^W^^ * F^,) • 

Trfoty ABi, lr at feast at expreartve at PL* We tern ** * thofe* is rtot<flear^ whether . ' 

the ^ i# *Pieliimff 63, 65 a»W 6^ carrhe replatetf by ^lf fc caw; then OL, DL + 
and 1 Ai"E wmW'ifl ite equal Mr ex p re trive power WHm regular, atnty and rtfch-test 
versions of ©*.. At trSl*iiai^ equal for any ; 

of tnese cases, ikwwvei, rut 1 wv puipuw tii^fNSMN^ii wffKWtr, imi cnr oe mown 
easily ustr«'ii^d^The«*ih*3a?- f : 

Theorem 6.22: L is A -expressive for AM*. 

Here too we wW obtain ottr co mptetenen resuh by ap plytng Theorem 3X However, 
we omit most of the proof, m*itg *#Wfln#^er1liai^*nr"ai*; US and &20. 
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Lemma 6.23: For any program a and L-wffs R and Q, 

if * A (R3Q) then h A ((H«)R =» (H«)Q). 
Proof. We omit this slightly tedious but nevertheless straightforward proof. I 

Having Lemma 6.23 at hand, we add the following rule to P: 



(H«)P p {C*)Q 
We also add the rules: 

(S) R=>P(n) , P(n+l)3<«>P(n) , P(0)=»Q 



For an L^fN* %fth free n, 



Rr»(Ha)Q s.L njf «ar( a) , 

(T) P(n+l)3CcrfP(n) 



For «n L'-wff P^am free n, 



P(n)=MAa)iP(0) fct-n/warta), 

(S) and (T) are obtained from the following rules, which In turn follow quite effortlessly 
from considerations similar to those described in Section $js 

R=>VnP , P'=><o>P , P°3Q R*3nP , P r 3Ur3P , P°=»Q 

" • ' ■' • • ■ and ' _^ __ 

R=»Vn<a n >Q R33nC« B 3Q 

We do not know of a duality principle, or of any other ,£•? for doing away with the 
indices in rule (S). Denoting the resulting axiom system by P(O), we have 

Theorem 6.24 ( Arithmetical Soundness and Completeness for MJLh For any ADL-wff P, 

*a p iff '■"pcni* 

Proof. Apply Theorem 3.1, and in the appropriate place (i* when proving that whenever 
\f a ( R3|0o)P) holds then so does r^ n j(Ra(f>)P) ) use the above twc*deri*ed rules, 
showing that their premises can be made A -valid when their conclusions ana, *y taking ?(*) 
to be arithmetical equivalents of <m n >Q and Ca^K} respectively. M 
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7. Th« Mnthem*tic of Divers* a^ Fiti*!** II. 



in this chapter we consider generafciing the methods developed m Chapter 6 Mi order 
to facilitate reasoning about die divergence and ftihjfe of pr o grams after than time In 
the set RC ; eg. those tn the Mt Of of rewrsive programs define* 1* C**K«r 4. 

In Section 71 we extend the definition of computation trees to Cr^tho* giving 
rise to toop a and/etf^ defined over this ML In Ste^ 1J we »n*4der the probiern 
of whether, fo^o^* JN#^ *#*M« <*» •» tx#n«%"6TO-wfrf ; in pa*fctfl*r we 
provide the analogue^ for (^ of Theorem U and W « «n cpp» probkm that of 
obtaining the analogue o? Theorem 63. Section U iscda&ned with augmenting CFDL with 
k»p n for «*CF, giving CFDL*, the lesattng axkenatiiatten (Section 7.3.2) not being 
quite avolegan**** that <rf fit* la Section «&1 The rest* of these 'sevens 'rate the 
question of whether there it an inherent difficulty in reasoning ^abont recursive program*. 



Section 7.4 is devoted to describing a general way in which nations of diverging 
and failing can be defined on the basis of sets, of tMMrl| apfrl&et of 
assignment and teas to thespirito! ^^^mmS^-'W^m 
these cnnce^len^^^ 

the mtuttion with which the lU i wi iw ^i ad A s v MJin p i i lsti ao twjii imrtfysttwaed for HP 
andCF hi : Sec«^M ^.and"''fX. "" " r ™~' '/--■ 



7.1 ' Co«ilm*»itioft Troa« fofr Bbu e mnlw IhN^twnat. r '" 

The pe^hnwnary axwpotatton tree pct(*,J) of : a program erfGF and a state J*r 

is detiwed i$%md* Jmy&Mifi^ - 

rftgiXfjBn \" % *-' * ■:.■**■■■ '■"■'■'?$' ! ' 

(5) pcdt!^fl- t 3)±pd(FbA*tt*'tyW) 



replacing^ £*c1i^^ 

pttifthfi u r(y?1,i^ w ii iifcv« ) mtosoas1t, > ogf»^ «in##IW*telwwi wa node 

labeled #, #ef{**(/>»*J li *&****&. i&mm£**t***&~* i P*i*ty>r 



Ill 

this process can lead to an infinite tree. The additional union with/o/i<? is introduced 
so that the process of calling recursively would itself "cost" an edge in the tree A 
remark related to this matter appears in Section 7.4. 

The computation tree ct(a,3) is t^i^Jt^^^im^X.j^t^^^ng-ita^. of the 
failure nodes as described in Section 5.2, and to»p u and jktf a are also defined 

precisely as in that section. 

Examples: In the following, 3 is some state in N for which yj*©, and in the diagrams we 
let i stand for Ci/ylJ. 
(a) Take a to be the program ((yM^y*?*!) U (y^OTjy^y-ljXw*^))!^. 



pct(a,U/yM) 



rt(«,Q/y3J) 
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(b) Take a to be (X)*(/) ; this is the recursive program which calls itself recursively 
"for ever". 

pct(a,3) ct(a,l) 
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(c) We ; now show how the two different translations of at* into CF formulae (both of 
which gave rise to the same binary relation ; cf. Lemma 4.2) give rise to two different 
computation trees. As we formally state below, it is only the first of these two which 
gives rise to trees which, as far as loop m and/«*/ a are concerned, are identical to 
those for a*. In all cases we supply a program « and the ijne c*(«,J). 



(rrue?u(y«-y+l;X))*(/) 
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{truelu (X;y<-y+l))*(/) 
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(truelu (X;y<2?;y^y+1))*(/) 
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( true? u ( X ;y<2?;y<-y+l) )*(/) ;y*2? 




Here too we haw 

Theorem 7.1: For every *«CF, ( J,|)«m(«) Iff «(*,J) ha* a leaf tabefed |. 
Proo/. Compare ^d(r^(y1,J) = petifidufv c(t*(/)),|) wfth the observation that 



. V ( * ■ 
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The following Theorem substantiates the remark we made in example (c): 

Theorem 7.2: For any ««RC and J«P, denote by er" the program C*i GF) obtained by 
replacing every appearance of a subprogram of the form 0* in «, by 
(true? uO;X))*(y). Then we have 

HJMpa"Jafy)t 
and H/oi/ a *i«tf a .>. 

Proof The chum foMowi by observing that ^^4M^<*m*?*i4;^),^ »«1 

but that the failure node due to the /«**<? in the tatter teafwayt deleted in the process 
of constructing ct. I 

Note thatfor any a*CF and J*I\ c*(«,J) »» again a tueeof finite outdegree, so 
that KoeMgYUmma ffll can be applied. 

7.2 Diverging and Failing in CFDL. 

A s in Section 64 , we are interested M-pm*&m-t*--m&^tGTW*i*to ^ 
and R a such that weWtt K^ ■ Ko^V *nd ^Ht^vjHiJ/ Wbbth 
cases we will need toots similar to" those dWeloped fof troVW ete ittmg results in 
Sections Ul and 6.1.2, but here a brand new problem 'W&h;mte somtmn of whfch 
requires defining the formula along{T,Q) asserting, for a term C(X) and formula Q, that Q 
is true at some point just preceding a recursive caN to C during a legal execution of «*(/). 

7.2.1 Expressing loop a in CFDL. 

We are looking for a characterization of *<»££«(/) analogous 'to that of 
loop a * in Theorem 6.2, in order to try to «se % ^Ik^m^iiM^L and a possible 
analogue of Theorem 63, for obtaining our result 

Recall that according to Theorem 4A a divergence In er* is due either to a local 
divergence, i.c a divergence in some reachable execution of «, or to a global one, \*. 
being able to execute et's for ever. The fuuiHi pu aa frrt n y 4* <«»>*>«*«, which, a* is 
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Implicit in the proof of Theorem 6.12, can be written fhfta^, end the latter is 
Vn<« n >*ri*fc So*«can write 

K f«>/» a * B i3ntoop a n v Vn<a^)if|fj^l. 

Characterizing loop^rrx to similar; here a local djrvonjpiBe '-It .% divergence "inside" 

some application of a reachable C, and can be expressed by J nl^op^n ^j^y 

(Note that tfcl* sflll^dpea^st^tlmp^^ 

deal with this wmmMim) -&&& ?#ii«fN^*ilit*^ 

Here wr went to^xprew^lie psiiibility ef be^ebl»tfcfsfs>l» ^ ^ ttwr", which amounts 

to being »ble to "proceed infinitely deep into the recenton". « 

In order to capture this notion we restrict ourselves m this Obapter to universes 
U in which the domain has at least two distinct ek ffl a n fc iastd in wh t gh two fined variable* 
have these two elements as values, we will therefore use the symbols a and b freely as 
two variables with distinct values. 

.,-*•,•> i, '"' -- ■-'■'■ ..'. 

We now define, for any term *, the term C which allows "skipping" tests, 
recursive cans to t, and other tectireiw o M Ml t a cta, but t m mn my&wch+U? m*>e 

recorded in a new variable x. F W ^^0miM^M*My^ f ^^H^»^^ i ^^ W«* 
let t*(X) be tlX) withevery appearance of a subterm aiofon i. X, P? or t^i/) 

replaced by (a u x^bjL Abo define 

91 (y#a? u (y*a?;x=a?;y«-bH, 

For any nfcO denote the program x«-ajy«-a;f n (a) by * n « We can now present our 
characterization of /oo£ c */y%: $'.<>>- -. ";> ; 

Theorem 7.3: For any*«GF, 

Proof: Assume we have JHnloop^n^^y . It to quite easy to see that ct{T*(/) t 3) 
has at lejm asmany ftodd »tf#<r B (/W«?),J), and iwsw we also have Jh/w^^. 

For the **«r of m&l*#- ** <H»m muUltn tuna' ■Uilliluiial notation. For any 
1*0 and J«r we would like to define the set S(i,t, J) consisting of those states 
which occur immediately before am application of t at "depth I". Define 



' ' ■ .- <''^^^^^f0SI^0^^0^*>- -■;"#»» 
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S(i*l, t,J) sU| €V SO,i:,|), 

where V is the set of states $ such that the process of constrortih| rt(%tx^x;t:^/)),j) ^ 
for *i var{ t ) requires constructing eti x«-x jfif. In other' word* 1 , T U the set of states 
which execution oW^'tffffrtir 1 |& priot #*§»!%* fiainl***? 5 * iM 1. 

Certainly if for **m : l^m owel^WFi^ bJNnV&W»%*Pn* »^, » ** **&MA» 
and funheropf* 0* j^^onvthe flX*«^t*(T^/U4) tp th^^^M^lpo^ ai least 
i. (Note that -this^wpuidr^^^^ 

Assume now that J»«Yn<^ | >y»b. We show that for any i*0 ** b*¥« S(»,r,J)W , and 
thus cti **(/) , J) has paths of arbitrary length and is therefore, by Keenig's Lemma, 
infinite. ( Note that th« *ssomp**en J^C^yab ; * soft****, «e that ¥n can be 

replaced by 3°n in the statement of the Theorem.) Indeed, for any sudi I, by assumption, 
we have JNt^yrb* or JbXx^a|yfaj^^J^^ 

c*( c |f J) , ^a#tng/rem>u>e root, ^. )i^^l||9i^ t ^^nt^^|N^ IV. | *** M* 1 !* 1 * 
the value of y is b. thf labeU of the successive nodes ajfe ow^denQted by 

( J , Ca/xlJ , Ca/yla/x3j , $Q , - , jk) 

where y« k e b. Let i be the least integer j such that yjfb. By the construction of 
r'( e) it is evident that in otder for y to itavecboafsd vah»e from a tMby it must be 
the case that the value of **a§* aH along. Mm* 411** 1?, M&p$& weiwwe 
x|j.ga» so<h*l tests ff ? and jubprtfranuof tte tewa !f ^m*»i *i m& 3«9n*Aim" 
and not avoided by executing x*-b instead. In other words, tbesii*(n*eeginertt «f the path 
p ending in Jjcah be thought of atbeliig 1 ituuilltW^^ * 

rooi to the /afte? in erj *'(/*/«?), J). Consequently, wehaveflfS(i,t,J). This 
completes the proof of or* dfrectton of the theorem. "**- 

Conversely, assume new that Jhfoo^*^ bokh and ma**or all. n*0 we have 
Jh-./oo^ c n^ je? j . Consider the inftnite sequence s of s ueb aal fr e ^ab eis of the ttoiies of 
an infinite path from the root in ct(t*f/},3). It i» easy to mjjwt by the second 
hypothesis, there must exist 1 a »ub* of f, WW#t, JSfiHtffarffik lor every i 

we have fKStl,T,tt and such that 'frcoiWafttftl n^frHrWe m s that "depth l*bf 
recursion was reached. We show that JKc,>yob holfi tfbf evlry* Tof gfvtnjt an algorithm 
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for executing ^ In such a way as to terminate in a state ft* which the value of y is b. 
Given i, simulate the path corresponding to the IriMaV segment of the sequence s ending 

in Ji, Le. assign x«-a and^y**, and JheB.fWowwd ta^f fjt £"$?% fe?-.W!PSW.,-^ : 
r*(/) , executing tests and recursive constructs anil 'rut $ie xH* flirts, fcy the definition 

of ft, reaching Ji in j correspond* to reaching e for the first ttroe in \t*i*l. 
Thus, we have reached # wKh yjfa and xj fa wid therefore y is assigned b. 

Execution iti X*Hv) Is the* to be continued %y thoosinr the jH% pUMf instead # 

tests, ip^arahoel of"1( and recsn^^ 

( no tests to faff! ; no revive winitfueu # 3 re«iiSi*e , 'cillFWlfa^^ 

the construction of v any subsequent arrival at ♦ wttJ not change the value of y» and 

since yi mr{ r ) , this value is not changed by any other part of the rest of the execution. 

Thus, y^ upcM t£frm%a?lbn. "*'"" "~^ ^"* ''m' ,: 

We are now interested in providing wa|»;%^p1iWls#|ht^lWf 4tsJunctS;Jir the 
statement of Theorem 7 J by CFDL-wffs, 

For deittng with tftrieft disjunct, consider the set tf~ V tir^Sf l^t ,"J | 
which, intuitively, is the set of states which ^WIIfWUMtitik^^^'^Yi^iih 
correspond to points Ju^prtir %*ree«niafe itim*? JW^me^ifchiv* defined, ***** 
CFDL-wff Q and term tr( X) , a formula almg(*,Q) such that 

Jh«ftm|<r,Q) iff (3|«l!JF)fJfcQ), 

i*. Jta/Mtgi-TtQ}' hold* Iff Q is true immediately prior to some roachabterecursive call 
to t: in an eKecmton of *%) ttarttogm state J. Assume ansothat we have defined, for 
every prog&m ertC* «nd> *er»v*tf3rf, I toiMfeiJ^jjpM **^€> 

holds Iff Ihire ^«>d»ve«g«nt»Kt <ti«(a^fJ}3vAfcBt«*»i^^ and indite the « • :- 

. part ( kes -the dtvesgence-cwfielh^ recufsive v/mmm t" m*9^'^M |n$ t;(X)>, . -, 

It is quite clear that JI"3n/o^> r n/^ Je ^ hokU iff at jome state | in the 
execution of **(/) just prior to a recursive caN to C, it Is the case that there Is a 
divergence in tliTify^hj^mhltk if due to tlfpfiitllC andaefcto the inner **(/). In 
other wtxteSfcabr^T, ip^^y*). < , * 

Now we proceed to define these concepts, and then observe that, together with 
Lemma 6.1 and Theorem 7.3, they give rise to CFDL-wffs. flnajh^wje s|tte t^t^a*m made 
in (he previous paragraph as a theorem. , ,t 
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For any o^KcGF and term* Cl(X) and rj(|(| define ___,. 

'fy,a "df /ad fy» 

'^jX,* s df ^»-i v 

^hNS,* *df ^^d?* VbtetM** ! 

Now for defining afoaj<X,Q) we use trkks *imiltr to those used in constructing «• 
and v for Theorem 7.3. Civen C(X), let x,y^ wr(c) be two variables, let Z**«r<C) and 
let Z' be a vector of disjoint primed version* of <f*¥arjf|>ter,i*i«^*) («ae£bapter 4 ; 
in particular x,y<wir(r)). Define r"(X) to be *<X) with every appearance of a subprogram 
a of the form P? or *"•*</) replaced by 1* ukM*), aaxt every appearance of the program 
variable X replaced by ..-.:■ ;H ■:>,-■■ i"" r '0 -v ■ ;.■•■>-.■-, 

..:,«;. ...... '.' ((xsa?>y*^y«*^v|>,u : xrb W £) ,,,„,' 

where Z'«-Z abbreviates the composition of the assignments i'*-z for.all z«Z. Now, 
define aiongi t y Q) to be 

<x^a;y«-a;r # *C/)>(y=b A <Z«-2?>Qt. 

The intuition is that in x«-a»;y*-a ;*"*(/) .one has the option of, whenever X is reached, 
storing the current values of the variables Z in Z\ jUli&rjras the cojnouAajtfpn until. t 
point has been an honest simulation of a computation hi vfffi Once such a store hat been 
carried out it cannot be carried I out again b^^ieof j^ m 

the proof of Theorem 13, execution can always c%iee to^sttjri^ N quickty to the end of 
*"*(/) by executing x,*b whemrver possible, f hen, when tt^e^ecution finally terminates, 
we assert that Q is true for the val of 2 which, we stored in £ Jiist before the 
recursive call 

From these observations, together with, the remarks the construction of 

lp T _ and a/eng(r,Q ), we obtain: 

Theorem 7.4: For every term r(X)» we have , s , 
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Now observe that the definition of al&ng(x t lp z £*(/)) toVotves only CFDL-wffs 
and constructs of the form leop a where a includes only subprograms appearing in r(X). 
We do not know how to deal with the right hand disjunct of Theorem 13, so that we have* 



■**"•■ a 



Open Problem: Is it the case that for every erfCF, tertn^XfcandJS-ftff P there exists a 

CFDL-wff Q such thit^t^a^tt^Jftl^). 

An affirmative answer to this questton wouU iropty, **e*her W^llff*™ a &1 *" d Theorem* 
7 J and 7.4, that for CF toop^ is expressible in CFDL 



7.2.2 Mmpwmkahii^ful^ %»^W^%^ ^^^ 

We have been unable w^flnd an elegant and reasdrtably natural algorithm for 
constructing, given «*CF, the CFDL-wff R tf such that MR ft *J*& m y hi»t. Wt 
can show, though, that such all t£ . feint* v? &^'&'£&#&i *nd uninteresting case 
analysis. The difficulty was in finding a CFDL-wff^. such i that we *»*« , 

►(/ai/^ ■ o/eng(r,4 t |). 

Jh/f r is to hold whenever there is a failure in tf(*(t*|/)M) due to r (Le. the 
failure does not appear Jn «(?*(/?$ for any |«(^t,i))(. tH« difficulty, similar to 
those i of Section 1.1^, are when .parts of X are tesks.^' 

We pose to the reader the interesting problem of designing a useful sublanguage of 
CF for total -correctness oriented reasoning, whfcli would 'be to CF what the guarded 
commands Ya^age CC is to*rj, tins f^MWfw^ *»«*&» tn€ P teawrt 
property that Tor h /7 C can be expressed easily and naMaV IwU '« would be 
interesting to try and find concise rules for constructing some or all of the four notions 
of total correctness or weakest, preconditions descrioed in Chapter 5 A similar to those 
provided by Dijkstra Clfj for fjd (.cf. Section is). , 

7.3 CFDL Augmented witli loofa JGlfoiL*) . 

In this section we augment CFDL with loep m and refer to the resulting logic as 
CFDL*. Although there seems to be no reason to abbreviate (<*>P V toop a ) to <a> + P, we 
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will do so in order to, be consistent with the treatment of PL* in Section 6.2, The 

virtues of augmenting CFDL with loop are those described for DL vv DL* at the beginning 

of Section 6.2, with the additional point thaj jt mlgM tujnpui Ijatfor CF loop^li not 

expressible in CFDL, and so we would. have CFDL *» atblcb Wl* th * wgnwuUittan 

is proper in the sense of obtaining strictly more expressive power. The axtomattzatton of 

CFDL + wMch we provide in Section 1J& I* not qatte as natural teokmg a* that of Section 

6JL2 for DL*. We are of the opinion that* search for a clean new formalism for 

reasoning liatqriaiy-aw W 

might be worthwhWe, asthoufh we are somewb* doefctfePaftoW *he 

about a significant improteftwnt. Iwry- ;^%:j*v ,H l :'■; ,^m>: 



7.3.1 Definitions. 

The definition of CFDL* is similar to Dfe* j Ukmf the deCmsttons of <he bask 
concepts from DL and adding: 

(1) Any atwiifc i\iiwlajs^(j|^ 

(2) For any CFDL*-wffs P and Q, « in CF and variable x, 
-P, ( PvQ), 3xP„ <«>P «nd Xw^PareCFDL-wffs. 

We abbreviate as' ag| Section 601 srri defrne the semsqtirUnrt^tfrsUy using the ■-, 
definition of tpof i of Section IJu 



7.3.2 Axiomatixatlon of CFDL*. V 

The basis of our automatization is Theorem 13 which: we can now rephrase as: 

H<t*(/)>>/« ■ (3iK* n (/^?>>^ v Vp^y***) 

and HCc*(/)TW * ( Vr*r n (/W»«Wmw a 3nCr n 3y»<b)). 

: .'■■■-...['.[. - . ".. : • ■.■• . i j ',.■;. -. I -. ■.* v? -, j "" '. •.-- . - ■•'■ • •.'•" 

Here r n is the program (x^a;y«-a;t* n (*)) where f and 9 were defined preceding 
Theorem 7 3. Also, in the sequel we use t"(X) sj delm a d preceding Theorem 7.4. 

Our axiomatiration tter^ too wiMbt of an e»tcyien CTOL* Which t» defined as 
CFDL* but with the programs coming from the set CF. As in Qhapser 4, we wilt be rising 
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the fact that In an arithmetical universe A there exists, for any *jfC$V *« L-Wf f P such 
that P Z expresses o. The problem that arises is that of defining the tree ct{a,J) for 
«*CF' (as opposed to Cf ) , of alternatively as fa¥ as ttH Is concerned, that of 

defining hop . ^0e would Ifte it to be the case that for any P*, *^»£( pZ) holds. 

However, for a given J«r K is possible that the set #*P% ?4fM i*|*««lP Z >ii* infinite. 

One solution is to detoe «l(«,D to% a »w of poaiWy %^/»i«tt twtdegree, 
with the location of the node*«rn by a U*t«rf natural f*twlwt (a# opposed to a list* or 
string, of 0*8 and Ts); for P^the tree would be defined li *an»l|rN » 

cf(P Z ,J) = {(MJluUi^KJ^^P 2 )}. 

Then, we would define J*h»p m to hold iff c*(o,J) has an infinite path (which in this 
case is not necessarily equivalent to Mmtf) being ttifo v nu ). 

Another, equivalent, method is to associate with any **CF* and UT a Mf of 
computation trees CT( a, J). For P** we woatd define 

cr(P z ,tt = r^x.JJ^o^Rfi)^^)!. 

The rest of the defmttion is carried out analogously to the definition of :f(«,J) above. 
For example, C7*(«;0,J) is the set of trees obtained by fotfift traction of 

cr(a;0,J) for every tree in CT(* t 3), attaching any tree in CT{$J) to a node labeled % 
whenever cr(0,|) was to be attached to that node ft) constructing cr(o;/3,J). 

Example. Let «: x*-x*l, P: x<x' and Z=(x). For any |«ff «n* that xj*Q we have*. 

Cr(a,J) = ({(X l J),(O t Q/x]J)}}, 

cr( P z ,a / xili * ( TtH^i /idW ,(0^ } | x|>i ), 

and thus cr(a;P Z ,i) * { {(X f J),(0,Q /x3j,(»,J)} J Xj>1 )• ■ 

• * . -\~ ;. • •. • - - , ■ •■ 

Now define, INeefg iff therm is an infinite tree In 'CXfeaJi j 

We remark that either way /oo^^U unkjaeiy defined for «*CT, and that for 
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Let A be any arithmetical universe, and consider the axiom system R* for CFDL* 
defined as R of Section 4 J augmented With axioms (&T4S) of ~P* in Section 622 and the 
following axioms and rules: ie « . 

(In the following, P and Q -are L-wffs, R is a CFdtSwff, t(X) is a term, x and y are 
variables *,y/ wir(T) , 7.»i»r<c), V is th« vector of Variables obtained by augmenting Z with 
x and y, and r, l?-*fid<tf.ire;mdirfitje#^ ■/-■; 

(V) LP 7 'l*true, 

(W) 

R =» ( <x^ajy<-a;t^(^Hy*b a <Z«-2 , Xt(Q z )> + /^My v Vn<x*-a;y«-a;P(n) v >y«b ) , 
P(0,V,V) =><*>WV* , QiTJW = Xt^^Z^ V WM&VT ^tWhJ V f >V*V 

.1 i ;i . i /i V i i n.' ', ii i i il ;* ' ,- ' " '' '"■ i ' -Jh. y ii ill ' i i ii i H I M III' i ii i l l i ^ m^imm ' : , { • » , < * ' ' ' ''. 1 I i ■ » | I i ' / . '•'.*..' 

(y) : /; : 7 ! " ;;'."'; "".■'';; 

R =» ( Cx«-a;y«-a;r"*(/)3(y*b v IZ+Z'TxiQhVtnu) a 3nCx^a;y«-a;P(n) V 3yf«b ) , 
V=V=*rtP(0,V\V) i Z'*Z a £**</}lQ«Z»siB> t * V***»fitf(P(n) V JIR<n*l,V\V) 

i i i i "'' . , i :,: i' : M *"■ V/" : \ "i " i ii''*i'-t i'"'' i i i i i i iA« : i ' ii i r iiii iii'jl'i ir'l n' r'H i l 'f" i '1 "H i i 

R = tt*ty)3*frtt# 

Provability in R* is defined as usual. 

Theorem 7.5 ( A -soundness of R + ): For any CFt)t-Wff P, If *-R4P then ***.' 

Proof: We establish the A -soundness of the additional axiom ind rules, and then use 
T heorem $ 4.10 and 6.!S to conclude' the result 

We show then, that for any L-wffs P and Q, CPDL-wff R and term *(X), with x, y, 
tf, r*, <r, Z and V~a* above, axtem<VHi A^¥aHd, and *Wf*fW) and fYJ ^preserve 

A-validity. ■•:...-. ~v^-^? ; ^ w . .•■. , 

(V): By definition. 

( W) : We argue that the A-vaHdity of the first premise of this rule, under the assumption 

that the other three are A -valid, asserts that Ti 
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l* A (R a Un/c^n^^) v Vn^yabJ, 

which, by Theorem 73, implies that h A tR^<*^/)>>&«). C*»* that r n te * n 

abbreviation of (x^y****? 1 *.*^) And iaimA f ^flimitmU^»^prtft^m^ other than 

the first, assert, re%pectiy^ y m{nO) y )^r^W^f^^m(tfi^^Wid 

Vn(m(P(n+l) V )Cm<t*(P(n) V ))). One can the* show, by induction on n ueing Lemma 4.4, 

that Vn(m<P(n) V )cm<r* n <*))). Consequently, since Q 2 is •Smaller* as a retatton thart 

C*(/) but is divergence-free, one can tee that Ioo^qZ) implies lp TT *^ t 

and hence also that «/ang<t t Jw^QZ)) Jw^a^C^^^^). By 

Theorem 74 the flatter is intefl^n^^^, l^eo^ stneel^.any nvPU) 

is "smalter" than t: ,r V), one can see that YiKiH^jr**jP4n#>y»b Implies VrKC n >y»b. 

Thus, the A -validity of the first premfte oTfUfc^w 1 ? impMn that Woop^^ Is 

A -valid , and hence we obtain the A -validity of the conclusion. 

(Y): Dual reasoning to that of (W). ■ 

The proof of arithmetical completeness of ;f?t ,-#i*tws *he>Tramewe*k of similar 
proofs in the ptexiou* chapters. We apply Theorem 11 after ettt btt s hmg thatits 
hypotheses hold in this particular case. First we tn§*or 

Theorem 7.6: L is A -expressive for CrDL*. 

Proof: Trivial using Theorem 41 and Corottary 7^. • * ■. 

Now we proye the baste box*- and diaCTood^ -conyje^ tft f U re»ults t and then, following our 
remark, in Section 6.2.2, about a "double functional" version of Theorem 3d, we obtain 
our final result 

Thiorem ^Diamond* -completeness Theorem for GPDL^* For every arfCF and L-wffs R 
and Q, if h A (R=X«> + Q) then r-^(R»<«r>*Q). 

Proof: As in the proof of Theorem 64£* it i* easy to see that att we need ; to^show Is 
that if J« A (R3<«> + /o/«) then r- R+ (R=K«>7e/w). T|%agaJp, Is established by 
induction on the structure of «. When « is of the form t*(f} for some term T we show the 
existence of L-wffs Q and P(o) such that the premises of rule (W) are A -valid. Since 
these premises involve only CPDL-wffs and the formula <r(Q Z » + /«/j«, in which the 
program is of complexity tower than t*(/>, the result win follow. Indeed, by Theorem 41 
we can take Q and P(n) to be L-wffs involving, respectively, only variables in Z and V, 
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and such that h A (Q * r*{/}) and for all n ^(^(n)* *'"(*))* All the premises are 
easily seen to be A -valid for this choice. JJ - 

Theorem 7.8 ( Box^-completeness Theorem for CPDL*)j For every «€CP and L-wffs % 
and Q, if N A ( RaCorQ) then V R *(»3Ca3*Q). 

Proof: As above using rule (Y). Q aj>d P(n) are also taken precuely as above. I 
And thus, as remarked, we conclude: 



Theorem 7.9 (Arithmetical Soundness and Completeness for CFDL + ): For every CPDL t -wff P, 

f A P ar 

Appendix E contains a proof of a eFtiL + -wff In ff*. 



h A P iff ^P. 



7.4 Language Dependent Diverging and Falling. 

In this section, based upon an idea of Meyer C443, we show how it U possible to 
define notions of diverging an* fathe^wnk^ ; di»>e^W©^^^ of 

computation tree ay bet softly upe^ the langwaf* g*ier*iefl Mli4f>/;th« regolir 
expressions. In fact, the new ftottaw are we* d e f| wH for any tye*^en# consisting of a 
set of sequences of assignments and tests. An immediate upshot is the faaittat these 
concepts of language-diverging and language-failing are defined for r*. programs as well 
as for regular smd a?ntex<-fr«e 01m < see Sectton &S&)* However r <he new nations, being 
independent of the i»»rtkaria» expression (wftt«riw^«e«winf the program/ <k> not * 
coincide precisely with our l*+ a nndjaa^. The ewtefled»n*«aiwwe*lgfrtk»i^ this 
phenomenon which we supply betew, shedt *ome hght on the UrtUni for adopting the 
seemingly ad hoc definitions of computation bees in $attflna&&ttio>3]& 

Let A be the alphabet consisting oftegat anig n nwnU and tests in Ot. The 
programs we consider here are subseU of A*, Le. sets of fbitte strings of assignments 
and tests. We use B, C, ~. to denote such pieajawn y wit h hy tha aw e fr y awing, 
denoting the identity progranv 

Let J«r, BcA*, and a€B such that a#X. We say that a is 3-good if we have 
]¥<a>true, where a, is the straight-line DL program obtained by inserting ";" between 

3 OK 
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every two elements In the string a. Now define IHang-hop^ iff there exists an 
infinite string s over A, every finite prefix of which is a prefix of an J -good element 
of B. Intuitively, Wang-loop^ asserts that it is possible to execute an element of B 
and then extend that element rep ea tedly for ev fbe extension each time, 

without ever "leaving" B. 

In order to he able to compare Umfhof with loop we adopt the standard translation 
T of a regular expression into the language (set of strings) it defines. Define T: 
RC-»2^ as follows: 

T(x«-e) = {x«-e}, 

T(P?) = {PTfc 

T(«;H) » {ab| aftt«) a bfHf}), 

T(«u0) * T(n)uTU), 

T(«*) * (T<«))*. 

We now observe that, contrary to expectation, it is not the case that for all o*RG we have 
b( loep m «' lanploopyi^ ). This follows from observing that ,aJrJ»p|jgh ; T(«*)=T(ar**) , 
and although Hoop^ .does not necessarJry hold, h^^ ahvay* holds. This 
situation is perhaps best explained by showing what ht* to he done to a regular 
expression, i*. a program m in RC, in order to be able tocaptoi* to^ a using:. ^ . 
language-diverging. 

For any artRG define *' to be o with every subprogramof the form 0* replaced 
by (truti v £*). Thus, we areexpttcHsy adding the fact that "ootog nothing" is a 
legal execution of Q*< In this way .carrying out tW* degenerated (but rionempty) 
computation for ever resuh* in a divergence which is c sptuved by the infinite set of 

strings {truef^^Q. ¥ orroaHy, we have 

Lemma 7.10 (Meyer £443}: For any «€*#, ¥imp^ *ha*f*topf(^))- 

Turning now to the concept of fatting, w*wott» 
a«B which are not J -good, by pruning them at the point where a test failed and inserting 
the special indicator F. Define a mapping »V A*xf ■• («%u(Fj>* as follows: 
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*<P?,J) 



*(a;b,j) 



*<a,J) If J<« a W. 



It is easy to see that this definition is a unique one. In fact, for any a and J, 

^(a, J) includes only assignments, and possibly one F as the last element in the string. 

Language-failing is now defined as follows: ^lartg-fati^ iff there exists a«B 
such that f ( a, J)=bF, and such that for no c*l is it the case that f (c,J)=bd where 
d#F. The intuition is that B includes a language-failure in state J if one can execute a 
sequence of instructions aCB starting in state J, and reach a fate test without being 
able to continue from that point in some other sequence in B (ie. no immediate alternative).. 

Here too, it is not the case that Hfatl a * 'mf^j («)')• The 
counter example being a- (x**u(/«/w?U /«&#?)) for which we have H^ a but 
fateng-fallyt y We proceed similarly: 

For every «<RC, define «" to be a with every subprogram of the form fioy 
replaced by (x«-x ;0 u y«-y;T), for some x,yl swift). Thus, we are marking the fact 
that we have executed a union and have gone left or right 

Lemma 7.11: For any ««RC, Hf(Ul a s langfaUjt^). 

A similar treatment of the recursive programming language CF can be carried out. 
Here the counter example to Hloop a * ten^flOj^p/ a »),'with T extended in the 
standard way to context free grammars, is the program «: {%}*(/) for which we have 
tooop a but not tlang-loopy/^ since T( at) H. The coding trick needed here 
in order to capture loop by asserting tontl 0Q pT(ti m ) ** to taken"* to 
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be « with every program variable X in a subprogram of the form t*tfi replaced by 
itru*!\X). Thus, we are marking the fact that a recursive eaft "coat*" a unit 

This particular direction of defining "|rammar Independent" notions seems to 
Justify carefirf mvestigatie*. k is appealing w pert because it does »£ «"»"* "»V 
extension of the standard defntttiom of such operators mf oM Wp^* to programs. Its 
drawback, however, seem* to be in the fact that to ordtUo capture such (in our opinion 
highly intuitive and natura# concepts at ^^miflfUw* nap* » *»*«* » *•"" * 
encoding from which, in efflet/the Uilgl.irf&i i lrlih fin this case the computation 
trees) can be reconstructed. 
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8. Conclusion and Direction* for Future Work. 

The following seem to be the main contributions of this thesis* 

( 1) Provision of a comprehensive and rigorous description of work on dynamic logic 

(2) Introducion of the notion of arithmetical axfcmattkatiori and provision of concise 
arithmetically complete axiom systems for a'ftafety'oflfegics. 

(3} Introduction of the notions of diverging and filling and, with their aid, 
clarification of the concepts "of total cor* ttohs. 

(4) Provision of an analogy between iteration and recursion, giving rise to a clean 
axiomatfcatiori of recursive dynamic tog*, atwf exposing the difficulties Involved 
in reasoning about the diverging and falling of recursive inu. 

There is still a tot of work to be done. Most of the open problems scattered throughout 
the thesis are to do with comparative power of exjjrekonv' it items that some of diem 
will turn out to be quite easy, and we believe that as each % pot*** more light win be 
gained, thus easing the task of solving the' i others 

The main directions, directly related to this thesis, m which we would r e co mmend 
that further work be done are: 

( 1) Recursive program'. We feel that there ought to be a more natural way to reason 
about recursion. As is quite evident from our work one*, the primitives of dynamic logic 
are not only adequate for expressing interesting properties of iterative programs, but 
also enable the reasoning about these properties to be carried out inductively in a 
structured manner. For some properties P of programs, a natural way in which to prove 
them of «*, is *imply to prove them for "every e in e*" by proving te*3P(e). Thus the 
problem is reduced one level. This is the essence of the rules for «* In our various 
axiom systems. For recursive programs the situation seems to be. different Here a 
one-level reduction of the problem of showing a property to hotd of tr*(/) , is to show that 
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it holds of r when r*(/) is "plugged in". Thus, the almg{Z t Q) construct of Section 12 
seems to be an important notion. And so, although the primitives of recursive dynamic 
logic still capture seme of the properties that we are ultimately interested in (and so 

they should not be «"*f4}. J» f^^ ; - 

expressing other properties -of interest C«i*'»«#|i*ipr,iilm-toli| ; ». need of 

extra tools. 

(2) Computation trm* |||ese„ shou^l*^ 

in mind the need for making the tree a *fair" desertion of the computation by assigning 
costs to assignments and ttsts^ but w* to "d^mmy'' edge*sucb asrhoui which correspond to 
the "go left" and "go right" ofitbe union operat T^e Jfjies.^^cpuJd, sennas the 
basis for carrying out an analysis of the efficiency of algorithms, with applications to 
program c^tintiaatjon fc. f $(jr own <***su™*ion of <$*, J) ^ &a^on* ^ flW*-.^. . . > 
was strongly influenced fey our Interest in dtyetftof and, ty i Reaper . 

definition of fatting might be worth tooking for. Such a definition should not be made to 
falsify the m^in results of Qwten S-7 f but aa^ftti^# ^p$ *#h *<x . , , , < * . 
appropriate modification of the defJoWoa of rhe tree*, le th* reasoning about , , . 
f*U 9 .0 and/sttg*^ a tot easier. _.,. M . s « . 

< 3) e§r^m frfipwe, ., Oiflif mierest^ priirttiveA, which would perhaps enabk natural 
reasonin^^abput ptralltl programs, are JSjeing, pued^pn th| oppositional lejel and 

some results ftave already JnpjjeMajb^ WM- These ^ 

primitives include for exams* "tkrm&mt «f| Wf^^pP HoW*"* I* 

would be interesting to investigate the Awl order versions ,*f logics which include these 
primJ^y^ajQg tfeen,Jfr,tjty,c*«^^ $«$•>"* h 

seems that a clean overall treatment of the problem of i ■ as o wir^ jtbnuji programs that run 
in parallel, in the spirit of the work described in this thesis fee aefoential programs, 
is yet to be curled out . ;_..; j? . ,, ',,... r ,'..'.w;. : .,, ; hfl , w ". ; ., (> ..: , 
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Appendix A: Relational Characterization tf EPDL- 

We show that EPDL of Section 1.1.1 is embedded in a simple algebra of relations 
which employs only two operations: conventior«l relattonal convosiUon,(#), and a new 
unary operation on relations, minus ( -\, We point to some question* about our relational 
algebra which seem to justify further research. 

Since EPDL does not involve operations on programs ( ; , u**) this appendix can 
be viewed therefore as providing a Boolean -algebra like abstraction of a modal logic in 
which there are possibly many modalities. 

Given a set of symbols t including one special symbol • we define the set %(t) 
of expressions of the relational algebra over C as follows. 

(1) AH elements of X arein*(c), 

(2) For every e and f in ¥(t), (e^f) and ;e W M» *(*)• 

VxV 

An interpretation I of ¥(t) is a pair (V,r) where V is,.a nonempty set and r: IT -» 2 , 

such that r( 8) =rf. 

r is extended to the set of expressions .♦(?,) by 

r(e.f) * r(e) • r(f) * {<*,*) I (3u)((j,ti)tr(«> »nd (*M)«r(f))}, 
r(-e) * -tit) * {(s,s)\(Vt)lU,t)f r(e))}. 

Thus, the minus operator ( -) connects s to itself iff s was connected to no element of V 
in the original relation. 

Lemma AM The set -¥(£) s {-e| rf¥(t:)} is a Boolean algebra with • and - acting as 
intersection and complement respectively. 

Proof. It is easy to show that the standard postulates for a Boolean algebra are 
satisfied with 0=* and l=-#. § 

We now define a syntactic translation function from the set Of EPDL-wffs to the set of 

expressions of the relational algebra over the atomic In other words, 

f: EPDL -♦ ¥( AF u AP). For esthetic reasons we t^eJ^DL as though It was defined usmf 
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P=»Q and CalP instead of PvQ and <i>P. TM latter **e now to be regarded as abbreviations 
in the obvious way. 

(IV For every p«AF t ftp) * p, 

rt-pr*-fm, 

- f(*a3PH4»*-*tt). • ,r * M ' ' * '" 

Given a structure SM W,w ? ra) for EPDL, define the lrtteH»retatton t^jf **f.AF *) II?) to be 
i« « (W.rL where j. 

r(p)*m(p?) forplAF, 

and r(a)*ra(a) forafAP. Sj 

The connection between EPbfc and ♦( AF U ktf te captured by the foflowing theorem. 
Tketrtm A.& For every EPBt-wfT P, Kf(P}) *uatPf)t* 



Proof, fy induction on P. For P an atomk fbppjffaptAF, we have r(f(jp)) * rtp) ■ m(p?) 
by definition. , 

Consider P of^form R?Q. Aeiuafe ( vXntfMQTL »£& **/?*— <£*£** tn€n 
*ir<Q). We show that 0,1?** 4*1) * f*WJi$%* MyW) * 
-f(Q))). lr*deed, if for sonie < weW<l#*r^^ 
usuch|hat(j,u)%tfU|)ahdU,<)«r(#9n. f?«fe*«^f% , S^i , »r 

that r=j and that furthermore (V»)(( ^X r(f<Q))). In particular, ft unpOHiole 

that ( s, s) <k f( q> ) , «r *y %t ^»i i( * i N : 





(kmvefselytasiume that 6,ljW^tif ^ «|Wf i^fft^C Mfe lSW**' fr*??*"" 1 * 

Krtve a centtadfcuon from the i j^lianf aesufaption that 



< j,*Hr<*< *) r. We wm dortve 

proof follows that of the previous case iwtth m(i| repladnf {it t $)\ #«HIFj and 4 wfth 
■■jamfaajt^taaxim^^ We ,omi» bof. ■ 

ThtfeuJauttiaitiftraan^^ 
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elementary logic of programs in an algebra ; nf jtja«i|*|f*ic^^ 
Theorem A.2 shows how to embed EPDL in thl* algebra *. 

Note that, with notation jWghtly relaxed and oa^|g T rt|f argument to W, we have. 

f(EPDL) c {-*uAF} ,,j= *. 

Both inclusions are sfrict; for general a^P there U : noj: PDL-wff P such that r( -( a • a» 
= m( P?) , and also there is no expression in {-$ At AF} corresponding to, a. An obvious 
interesting problem, then, would be to investigate the relationship between W and ft EPDL). 
For example, what is the complexity of iccidtog dto0m§lUy to -* ; Ja how^haj-d is it to 
decide, for arbitrary e«-¥, whether for every interpretation r(e) * {(*,*)! *W}? We know 
that validity in EPDL, and hence diagonality in ft EPDL), is deddabte. Is this, true in -W? 

Another possible direction to go would involve investigating "abstract" relational 
algebras ; i.e. is it possible to give a finite set of postulates that k triple ( K ,»,«) is 
to satisfy in order for b and u to act like • and-, where K is * set of binary relations 
over some arbitrary set. and >a^ 

One of those postulates, in line with Lemma Al u» a. Boolean 

algebra. What happens when K is me Such rtpMS&tftif* 

theorems would seem to be of considerable interest. 
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Appendix B: jbmsmk^k* ■jf'« ^r«^'y « 

We sketch the hfcMtfhtt of a proof in P of the total correctness of the 
(deterministic) p. uci >M go ^t tOf'hltGirthr's vttriiM *+**&» (w»C4«3). 

We assume the universe M of puwIwsSiiiliiieyo^ such as < 

etc. as abbreviation* for the obvious first order f ■ rwi ltw they stand for. We done* 
refers rtrW In f^ other rheh tho* ~ o« far pn^ ^^ eh^ fieCirthy t »W showed 
that the least ftxpotnt or the found frediflfiJtton 



•>t!!J>?'< 



ff k> * If x>H* then *-» ehe f(f(i*M) 

Is the function 

f t-10 Jt>i90 
fU)« 1 ^ 

\ft ""fefctV 

We consider an iterative version of this recwrstvt dtofft^Uon, Nh the form of the 
fdtowtnr. r«rt>tar pror/sm T *> a^HsWfclftrl *?, ?* 

computet fXit/*fv, so that K*t9l. li|lDh^iliwM)MlMu 



Define m fvtetf;ii*i«U'iy*y*if' : 

fit a*-i-M>jy*-y-l, 
y; o*;(W<i a y*H)?;p\ 

We prove the N -validity of 

(Ma a y»i) a <y*H*»iM A vH)t 

by defining the converfettt Ho) as feftows: 

P(n): yX) a i>0 A 11U* A n*90~i*lly. 

IHote: P(n) is in fact the arithmetical equivalent of <VNi»lM A y»l).) 

We prove (in P) the fottowtng three formulae, and then an apptteation of the derived rule 
(J*) fives the 



...» . i.^s-v''?-- ft*-- 



m 

(101*z Ay=l) =»3nP(n), 
(*) P(n+i) 3<7>P(n), 

P(O) pCibIOI Aysl). 

The first and third of these can easily be seen to be axioms in (8) (U. N-yaWd L-wffs). 
We prove the second, (*). 

Abbreviate WXkz A P(n) to P A (n), 

lOOfcz a i*90 a P( n) to ; P 5 ( n) , 

and r<90 a P(n) to P 3 (nj. 

Certainly we have that the following i*H-vaHd «*d hence an axiom: 

(**) (P A (n) v P 2 (n) v P 3 (n)) * P(n), 

and so we prove for i=l,2,3, that 

Pj(n*l) =<T>P(n) 

and use (**) to conclude <*). We omit the cases t«l and 1*2 which are reasonably 
straightforward. For i*3 it is sufficient to prove 

P 3 (n+1) a <a*>(l<y A 100<z a 12Uz A n»89-z*Uy). 
We will actually prove 

P 3 (n+1) a <«*;«;a>(l<y a 100<z a 121*z A n«89-z*lly), 

which is in fact 

P 3 (n+1) => <«*>(z>78 A 89*z A ns»-z+Uy). 
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We use (J') again, this time with the convergent 

Q(m): y>0 A z>0 A z<90 a n=89-z+lly A m=/?oor((100-z)/ll)-l, 

where m=/7oor(a / b) abbreviates (a>m'b A (m+l)"b>a). 
It can readily be seen that we can prove in P- 

P 3 (n+1) => 3mQ(m), 
Q(m+1) => <a>Q(m), 
and Q(0) ^ ( z >78 A 89>z A n=89-z+lly), 

which completes the proof. I 
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Appendix C: Exan^e»faPr^^aCFpL-^MM- 

We sketch a proof of the partial correctness of Hie factorial program of Section 4.1. 
We prove, using standard arithmetical abbreviations 
r- R Cz«-x;r*(/)3y=x!, 
where 

r(X): (z=0?;y«-i)u(z»*0?;z<-z-i; X ^x+lj^y't). 
First we prove in I? 

(1) Cz*x3z=x, 
and (2) z*x a !**(/) 3y*x!, 

and then , using ( H) , ( C) and ( E) , we obtain the result 

(1) is trivial using (C). To prove (2) in I? we apply the derived rule (M*) as 
follows: Note that iwr(trjs(y,z). Take 

R: z«x, 
Q: yrz!, 
and P: z'sz a y'=z!. 

We have left to show 

(3) Pxatl^Ay 1 '!!) 1 ^^!!, A 

and ( 4) ( z'=z a /^z!) => t( z*0?;y*-l) u ( zrfff;z«-z-i ;1 z*z a /«»!** y ' x) 

jz^z+ljy^yz)^^ A ysz*t>. 

To prove (3) we use (K), obtaining 

z=x 3 (Vy",z")((z M *z A y"sz!) a y"=z"!) 
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which is an axiom in (B). Proving (4), by (F), (CJf and (£?, atnountt to proving both 

which again is an axiom in (B), and 

(6) (t'uA^y) ^Cw^t^-il^Ay*^***^ 

<t*x*i A ftt*l)*t1h 

The latter we prove by proving in Jf '., 

(7) (^ia/w) a Cw*l?;i^-Ui»fi, 

and (8) ziOaCdViA/^^Ka^lAyl**!)*!*!). 

The proof of (7) is quite easy nstag <C), (D), (E) and O). ?«r (fi *• »PP*y wthwv (K ) 
again, to obtain 



. C: ^^"'-"'i. «■'. 



(9) ziO ^ (Vy",i-H(«"«* A f*d) =» (*W<* A y*1«M)«rf)), 
which is an axiom in (I). ft 



-V -■■-► 
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Appendix D: ExampleofaProofofaDL*-»ffinP*. 

Consider the following program 

a: (x#z?;((x=y?;x«-x+l) ux*-x+2))*. 

Assume a state 3*N for which x «=0. Then, starting from 0, x gets increased by 2 as 
long as x does not "hit" z: Also, if x happens to Mt y, then one increase by 1 is 
permitted before the by-2 increases are resumed' Two properties of.<* which are of 
interest in such states and which depend on the values, in these states, of z and y, are: 

(a) whether x can be made to skip z, and 

(b) whether x can be made to hit z, 

and can be written simply as loop a and <*>x«z respectively. The behavior of a in all 
states of N in which x=0 depends upon whether or not z and y are odd, and also upon 
whether or not y<t The complete situation to given by the f kIIh »»!§ *fjbtc where odd(i) 
and even(i) stand for 3 z'(zsl+2z') and its negation respectively! 





odd(y) 


nmly) 




oddii) 


laop m A -»<«>x s z 


b°P m A -Kn^i* v;J 


y>r 




tO0p a A <«>X=Z 


y<* 


i 
tvtni i) 


■*■?« 


■**fc 


:' vn 




tOOp a A <*>X*l 


y<z 



( Note that -'loop implies that <«>x«z.) 
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We now prove that 

to N valid by proving th« foftowtof ttirot 'towtoiiatni^ 

(1) (x<ftA«m(i) a (««Cy) v y**>) ajfcrtrw, 
ffl t,r*Aftditd)»<a£*jttM, 

Combining these give* the reetrtred row*. 

(1); We wot** like to apply the derive* wm'mSHm**WW** **« f Cn) » be 
f ^y> V y»> A %Bt A ti*»<N^a*> 

CertelnJra* s JnW*y#l*^ 

which we have ' '>'"■ V *"- N ." ■■ r 



JHx4 A «MMtil A (#dd<y)ii)) 



IV#: 



we also have FW headtof, «M h t* taken to bt q ♦ Ctj* /». We w« W* ***»*, 
with having mvmm- ft mM MlOM &tm&t-iMl*****'' 



and (P(p*i) Axjrti*»Ex**+nP(nK 



The first to an swuom and the «r«mdcan eaady bt iirantotisrt to f*. 



(2): Here we wontd like to epo»y derived role (IT) and are faofctog for a dfafrftnf P. We 
take f to be sbnpJy vr?i k^>: ; .^^-- • 

eddU) A awnix), 

and it to easy to see that iv* a •**<*))=>? to if -valid, and henot an axiom of P\ Abo, 
one can prove to F that 






1« 

P =>(x*rA<x«-x+2>P), 

so that we have proved Pa<pVP in P* and cap apply ( U*) to obtain the result. 

( 3) : Similarly ( U') is used, and here the divergent f. is taken to be 

y<z A tven(y) a iiodd(i) a *wn(x)) v (wn(r) a (y<x « <*MU)))). 

It is easy to see that (x=0 a eiwn(y) A y<|iJ=»P J^Jf »^a|gt and we leave to the reader 
the task of verifying that P=Kjl> + P is provable m P* (in fact P=Kp>P is), and then an 
application of (If) completes the proof . ,. ,§,..,, 
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Appendix E : Examplt tf a Protf of a CFDL*-vg ** ft*. 

Consttter the program 

«: (u«v?o U0^t;v^i*2^0^'itfHJ) 

for which it fs ttw CtSC that 

►jj(tt*d ^ <*M(v) *^ a )) 

holds. We sketch the pro%f in ft* of one direction, namely &at 

(u*0 a orirf(v)) * leop u 

is W -valid, a is of the form t*(/) , and we have by definition 

r: (y#a?u (y*a?;x*a?;y«-b)), 
and r'<X): (<»**? u x«-b) u ((uf«v? x+*>) i**w%;iX u x«-b) ;u*-u-2) )*(/). 

We apply rule ( W) taking R to be (u»6 A «*<f(v)}, Q to be/W», and P(n)*P to be 

( ev<n{\i) A oddi v) a o'»h A y'*b A x'=a A x«a A y*a) , 

where V=(u,x,y). The third premise of rtrte(W) to trivially N-*aHd. Considering the 
second, we can easily prove 

(u'=u a y'=b a x'sa A x'*a) a <ysa?;x«a?;yH^(M»u' A x*x' A ysy*) 

and hence establish, by further proposition*! reasoning 

P a <#>V*V. 



145 

Also, one can prove 

P 3 <u*v?;u<-u+2;P V ;u<-u-2>V=V\ 

from which the forth premise follows. We are left with having to prove the first premise. 
This is done by proving 

R => Vn<x«-a;y«-a;P V >y=b 

which simplifies to having to prove 

V 
R => <x«-a;y«-a;P >y=b. 

This again can easily be seen to be provable in R, giving the conclusion, ■ 
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Errata for MIT/LCS/TR-200, by David Hai?el. 



Page 43. Rule <H) should read: 

(H) p -,q p 3 g 

and 



I«3P3Co]Q 3xP>3xQ 



Patres 38-39. Theorem 3.1 and its proof should read: 

Theorem 3.1 (Theorem of Completeness): For any universe U and M-extension L(M) of L, a 
U-sound axiom system P(M) for L(M) is U -complete whenever 

(1) P(M) is propositionaliy complete, 

(2) L is U -expressive for L(M), 

• (3) For any k«K, variable x and L(M)-wffs R and Q, 

if r- p( M) TR=>Q) then K p<M) Itm^* =>' <M k )Q) , 

if r- p(M) (R^Q) then h p(M) (3xR a 3xQ), " and 

(4) For any k«K and L-wffs R and Q, 
if t=y R then *"p(|vi) R > 

if NyU^M^Q) then »-p(M)< R=,(M k )Q) » and 
if Nu(R3.(M k )Q) then t-pdJoU^MjJQ). 

Proof- We have to prove that if P is an L(M)-wff such that NyP, then ^p(M) p - 
By the prepositional completeness of P( M) we can assume that P is given in conjunctive 
normal form, and we proceed by induction on the sum n, of the number of appearances of M 
and the number of quantifiers prefixed to non first-order formula, occurring in P. In the 
case n=0, P is first-order and by the first IJne in assumption (4) it is provable if it is 
U-valid. Assume that n>0 and that the theorem holds for any formula with n-1 or less 
appearances of M and such quantifiers. If P is of the form P1aP2 then we have *y PI and 
Ny P2, both of which have to be proved in P(M), so that we can restrict our attention to 
a single disjunction. Without loss of generality we can, therefore, assume that P is of 
one of the forms: 

Plv(M k )P2, Plvi(M k )P2, Plv3xP2 or Plv-3xP2, 

where k«K, and the right-hand side disjunct is not first-order. Thus we are guaranteed 
that in each case P2 has less than n appearances of M and such quantifiers. Let us use 
p to denote ( M k ) , -( M R ) , 3x or ^3x according to which is the case 



L is expressive for LtJVlT, anlf sbJbVany i(^^rt5tHe^*fs?soyei>-w!f (? L 
which is equivalent to Q. We have then ^y("'Pli 3 pP2i). Now, using assumption (4) 
(since PL and P2i are L-wffs) we also have .. , . - . • -? . 

Now surely, by the definition of Pli and P2i, we have Ny (-»P1 '=> -»Pli ^ and 

J=y (P2^ 5 P2). Both these last formulae have less than n appearances of M and such 

quantifiers, and hence by the inductive hypothesis 

(++) .^Pim f pl * ^O andt 

By assumption ( 3) ( together with the propositional completeness when the second and forth 
of the above cases are considered) we can obtain from nte fatter 

(+++) ^PCND^^L 3 ^- ; ^^ 

From ( + ), ( ++ ) and (* ++ ) wjt get, usjng p^sftibnarjre^^ 

orh p(M) (pivpp 2 ). i ■ t ; :: ;;';^^;i;:;;.;;":;;^^: ; 



